| FACTA & The Red Flag Rules |
| The FACTA (Fair Accurate Credit Transaction Act) law was passed in 2003 and made effective in 2005. The laws not only allows for individuals to obtain a free copy of their credit report, it also holds business executives responsible for the personal identifiable information that they keep on clients and employees. The law applies “to any business or individual who collects, maintains or processes consumer information for an intended business purpose”. In the event that consumer information is lost under the wrong set of circumstances the law specifically allows for: • Fines of up to $3500.00 per instance per occurrence • Class action and individual lawsuits with no statutory limitation • Responsibility for damages • Executives within an organization to be held responsible both criminally and civilly During November 2007 the federal government passed its amendment to FACTA called the Red Flag Rules. The Red Flag Rules are effective January 2008 and have a mandatory compliance date of November 1, 2008. The new amendment requires a business to have: • A Written Identity Theft Prevention Plan and Mitigation Plan • Written approval of the plan by the Board of Directors or an employee at the level of senior management • A designated security officer or compliance officer • Mandatory training for all employees who have access to personal identifiable information • Documented evidence that it investigated the compliance of all its contract and service providers The Red Flag Rules apply to a wide variety of businesses on different levels. The law appears to apply to only financial institutions and creditors however the definition of those entities is so broad that it applies to virtually all businesses. The following are excerpts from definitions taken from the actual Red Flag Rules "Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor" to include a person or entity who arranges for the extension, renewal, or continuation of credit, which in some cases could also include third-party debt collectors and any entity that defers billing to its client base. As outlined in the final rule, "creditor" specifically includes, but is not limited to, lenders such as banks, finance companies, automobile dealers, and mortgage brokers, insurance brokers, real estate brokers( who manage property, use a credit report for any purpose or arrange for the acquisition of a mortgage) and creditors such as utility companies, telecommunications, and cellular /wireless companies. "Account" - Under the Red Flags Rule, "account" means: "a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes." Account specifically includes: "(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account." Because a person may establish a relationship with a creditor, such as an automobile dealer, realtor, or a telecommunications provider, primarily to obtain a product or service that is not financial in nature, "account" includes relationships with creditors that are not financial institutions, and the definition is no longer tied to the provision of "financial" products and services. "Covered Account" -Under the Red Flags Rule, a "covered account' means: "(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks." Red Flag Rules recently became effective in January 2008, and compliance is required by November 2008. The FTC’s enforcement of the Rule was extended to Nov. 1, 2009: "Many businesses don't realize, that even though the FTC isn't enforcing compliance, it doesn't mean those businesses won't be liable if a data breach or loss of information occurs," Debra Geister, Director of Fraud Prevention and Compliance Solutions at Lexis-Nexis. The key issue is that the law was effective January 1, 2008. The enforcement date begins May 1, 2009. |
| For an article written by the Texas Workforce Commission on FACTA Click Here |
| For a copy of the FTC June 2008 Business Alert on the Red Flag Rules Click Here |
| For a detailed report on identity theft and how it effect individuals Click Here |





| For a copy of the FTC guide "Protecting Personal Information A Guide for Businesses Click Here |
| U.S. Congress Considers Small Business Exemptions to the Red Flags Rule Click Here For Details |