| FACTA & The Red Flag Rules |
The FACTA (Fair Accurate Credit Transaction Act) law was passed in 2003 and made
effective in 2005. The laws not only allows for individuals to obtain a free copy of their
credit report, it also holds business executives responsible for the personal identifiable
information that they keep on clients and employees. The law applies “to any business
or individual who collects, maintains or processes consumer information for an
intended business purpose”. In the event that consumer information is lost under the
wrong set of circumstances the law specifically allows for:
• Fines of up to $3500.00 per instance per occurrence
• Class action and individual lawsuits with no statutory limitation
• Responsibility for damages
• Executives within an organization to be held responsible both criminally and
civilly
During November 2007 the federal government passed its amendment to FACTA called
the Red Flag Rules. The Red Flag Rules are effective January 2008 and have a mandatory
compliance date of November 1, 2008. The new amendment requires a business to have:
• A Written Identity Theft Prevention Plan and Mitigation Plan
• Written approval of the plan by the Board of Directors or an employee at the
level of senior management
• A designated security officer or compliance officer
• Mandatory training for all employees who have access to personal
identifiable information
• Documented evidence that it investigated the compliance of all its contract
and service providers
The Red Flag Rules apply to a wide variety of businesses on different levels. The law
appears to apply to only financial institutions and creditors however the definition of
those entities is so broad that it applies to virtually all businesses. The following are
excerpts from definitions taken from the actual Red Flag Rules
"Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702
of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor"
to include a person or entity who arranges for the extension, renewal, or continuation of
credit, which in some cases could also include third-party debt collectors and any entity
that defers billing to its client base. As outlined in the final rule, "creditor" specifically
includes, but is not limited to, lenders such as banks, finance companies, automobile
dealers, and mortgage brokers, insurance brokers, real estate brokers( who manage
property, use a credit report for any purpose or arrange for the acquisition of a mortgage)
and creditors such as utility companies, telecommunications, and cellular /wireless
companies.
"Account" - Under the Red Flags Rule, "account" means: "a continuing relationship
established by a person with a financial institution or creditor to obtain a product or
service for personal, family, household or business purposes." Account specifically
includes: "(i) An extension of credit, such as the purchase of property or services
involving a deferred payment; and (ii) A deposit account." Because a person may
establish a relationship with a creditor, such as an automobile dealer, realtor, or a
telecommunications provider, primarily to obtain a product or service that is not
financial in nature, "account" includes relationships with creditors that are not
financial institutions, and the definition is no longer tied to the provision of
"financial" products and services.
"Covered Account" -Under the Red Flags Rule, a "covered account' means: "(i) An
account that a financial institution or creditor offers or maintains, primarily for personal,
family, or household purposes, that involves or is designed to permit multiple payments
or transactions, such as a credit card account, mortgage loan, automobile loan, margin
account, cell phone account, utility account, checking account, or savings account; and
(ii) Any other account that the financial institution or creditor offers or maintains for
which there is a reasonably foreseeable risk to customers or to the safety and
soundness of the financial institution or creditor from identity theft, including
financial, operational, compliance, reputation, or litigation risks."
Red Flag Rules recently became effective in January 2008, and compliance is
required by November 2008. The FTC’s enforcement of the Rule was extended to
May 1, 2009:
"Many businesses don't realize, that even though the FTC isn't enforcing
compliance, it doesn't mean those businesses won't be liable if a data breach or loss
of information occurs," Debra Geister, Director of Fraud Prevention and
Compliance Solutions at Lexis-Nexis. The key issue is that the law was effective
January 1, 2008. The enforcement date begins May 1, 2009.
How do we help your company?
Our firm Anderson & Associates provides a long list of products and services to assist
businesses and consumers with identity theft, data breaches, and privacy compliance. One
of our strongest programs is the Affirmative Defense Response Program. Below is an
outline of the advisory board that oversaw the development of the program, a few of the
officials who have endorsed it as well as what it provides.
Affirmative Defense Response System
Advisory Board:
• Mike Moore former Attorney General of Mississippi
• Andrew Miller former Attorney General of Virginia
• Grant Woods former Attorney General of Arizona
• Duke Ligon is Sr. VP and General Counsel for Devon Energy Corporation
Endorsed by:
• President of the US Chamber of Commerce
• President & CEO of National Black Chamber of Commerce
• Former President of the American Bar Association
• Former President of the National Association of Attorneys General
• Numerous Attorneys General
Program Provides:
1. Privacy & Security Meeting Notice
a. Documents the employees notice of the mandatory security and identity
theft prevention meeting
b. Inspires the employees to begin brainstorming as to methods that can be
taken to help secure data within the workplace
2. Appointment of Security & Compliance Officer
a. Documents the appointment of the mandatory position
b. Enables the board and senior management to designate the responsibility
of enforcement of the Sensitive Nonpublic information Policy & Identity
Theft Prevention Plan
3. Sensitive Nonpublic Information Policy & Identity Theft Prevention Plan &
Policy
a. Mandated by law and must be separate from existing privacy policy
b. Addresses Identity Theft Prevention, how data is to be secured, processed
and maintained and addresses RED FLAGS
c. Includes training for staff on identity theft, the policy, and the laws
4. Use of Confidential Information by Employee/ Contractor
a. Documents employees have been trained on identity theft, the laws and the
policy.
b. acknowledge and accept responsibility for any damages that will be
incurred by the company, or victims.
c. Employees agree to follow laws and policies the company has in place. is
signed, dated and witnessed
5. Offering of personal mitigation plan form
a. Lowers company’s exposure to individual and class action lawsuits from
employees Documents whether the employee decided to enroll or not
6. 3rd Party Vendor Letter
a. Makes service providers aware of the company’s position on data security
b. Request that service provide either implement the ADRS program, show
documented evidence of a comparable program that they have in place or
complete an indemnification and hold harmless agreement.
c. Documents your investigation of your company’s contract and service
providers Fulfills the company’s requirements per the Red Flag Rules
7. Indemnification & Hold Harmless Agreement
a. Documents that service providers understand all provisions of FACTA
and Red Flag rules and accept all responsibility for NPI/PII that they have
access to.
ALL AT NO DIRECT COST TO YOUR COMPANY
If you would like more information on identity theft or the Red Flag Rules please do not
hesitate to call my office directly. I can be reached at 404-474-2273 or
KJ3rd@KJ3rd.com. Thank you for your time and have a blessed day.
The document was created by K.J. Anderson III, CITRMS. Any program that is
implemented must be tailored to the nature and complexity of the business it is designed
for. Therefore the information contained in this document is not to be taken as legal
advice.
effective in 2005. The laws not only allows for individuals to obtain a free copy of their
credit report, it also holds business executives responsible for the personal identifiable
information that they keep on clients and employees. The law applies “to any business
or individual who collects, maintains or processes consumer information for an
intended business purpose”. In the event that consumer information is lost under the
wrong set of circumstances the law specifically allows for:
• Fines of up to $3500.00 per instance per occurrence
• Class action and individual lawsuits with no statutory limitation
• Responsibility for damages
• Executives within an organization to be held responsible both criminally and
civilly
During November 2007 the federal government passed its amendment to FACTA called
the Red Flag Rules. The Red Flag Rules are effective January 2008 and have a mandatory
compliance date of November 1, 2008. The new amendment requires a business to have:
• A Written Identity Theft Prevention Plan and Mitigation Plan
• Written approval of the plan by the Board of Directors or an employee at the
level of senior management
• A designated security officer or compliance officer
• Mandatory training for all employees who have access to personal
identifiable information
• Documented evidence that it investigated the compliance of all its contract
and service providers
The Red Flag Rules apply to a wide variety of businesses on different levels. The law
appears to apply to only financial institutions and creditors however the definition of
those entities is so broad that it applies to virtually all businesses. The following are
excerpts from definitions taken from the actual Red Flag Rules
"Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702
of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor"
to include a person or entity who arranges for the extension, renewal, or continuation of
credit, which in some cases could also include third-party debt collectors and any entity
that defers billing to its client base. As outlined in the final rule, "creditor" specifically
includes, but is not limited to, lenders such as banks, finance companies, automobile
dealers, and mortgage brokers, insurance brokers, real estate brokers( who manage
property, use a credit report for any purpose or arrange for the acquisition of a mortgage)
and creditors such as utility companies, telecommunications, and cellular /wireless
companies.
"Account" - Under the Red Flags Rule, "account" means: "a continuing relationship
established by a person with a financial institution or creditor to obtain a product or
service for personal, family, household or business purposes." Account specifically
includes: "(i) An extension of credit, such as the purchase of property or services
involving a deferred payment; and (ii) A deposit account." Because a person may
establish a relationship with a creditor, such as an automobile dealer, realtor, or a
telecommunications provider, primarily to obtain a product or service that is not
financial in nature, "account" includes relationships with creditors that are not
financial institutions, and the definition is no longer tied to the provision of
"financial" products and services.
"Covered Account" -Under the Red Flags Rule, a "covered account' means: "(i) An
account that a financial institution or creditor offers or maintains, primarily for personal,
family, or household purposes, that involves or is designed to permit multiple payments
or transactions, such as a credit card account, mortgage loan, automobile loan, margin
account, cell phone account, utility account, checking account, or savings account; and
(ii) Any other account that the financial institution or creditor offers or maintains for
which there is a reasonably foreseeable risk to customers or to the safety and
soundness of the financial institution or creditor from identity theft, including
financial, operational, compliance, reputation, or litigation risks."
Red Flag Rules recently became effective in January 2008, and compliance is
required by November 2008. The FTC’s enforcement of the Rule was extended to
May 1, 2009:
"Many businesses don't realize, that even though the FTC isn't enforcing
compliance, it doesn't mean those businesses won't be liable if a data breach or loss
of information occurs," Debra Geister, Director of Fraud Prevention and
Compliance Solutions at Lexis-Nexis. The key issue is that the law was effective
January 1, 2008. The enforcement date begins May 1, 2009.
How do we help your company?
Our firm Anderson & Associates provides a long list of products and services to assist
businesses and consumers with identity theft, data breaches, and privacy compliance. One
of our strongest programs is the Affirmative Defense Response Program. Below is an
outline of the advisory board that oversaw the development of the program, a few of the
officials who have endorsed it as well as what it provides.
Affirmative Defense Response System
Advisory Board:
• Mike Moore former Attorney General of Mississippi
• Andrew Miller former Attorney General of Virginia
• Grant Woods former Attorney General of Arizona
• Duke Ligon is Sr. VP and General Counsel for Devon Energy Corporation
Endorsed by:
• President of the US Chamber of Commerce
• President & CEO of National Black Chamber of Commerce
• Former President of the American Bar Association
• Former President of the National Association of Attorneys General
• Numerous Attorneys General
Program Provides:
1. Privacy & Security Meeting Notice
a. Documents the employees notice of the mandatory security and identity
theft prevention meeting
b. Inspires the employees to begin brainstorming as to methods that can be
taken to help secure data within the workplace
2. Appointment of Security & Compliance Officer
a. Documents the appointment of the mandatory position
b. Enables the board and senior management to designate the responsibility
of enforcement of the Sensitive Nonpublic information Policy & Identity
Theft Prevention Plan
3. Sensitive Nonpublic Information Policy & Identity Theft Prevention Plan &
Policy
a. Mandated by law and must be separate from existing privacy policy
b. Addresses Identity Theft Prevention, how data is to be secured, processed
and maintained and addresses RED FLAGS
c. Includes training for staff on identity theft, the policy, and the laws
4. Use of Confidential Information by Employee/ Contractor
a. Documents employees have been trained on identity theft, the laws and the
policy.
b. acknowledge and accept responsibility for any damages that will be
incurred by the company, or victims.
c. Employees agree to follow laws and policies the company has in place. is
signed, dated and witnessed
5. Offering of personal mitigation plan form
a. Lowers company’s exposure to individual and class action lawsuits from
employees Documents whether the employee decided to enroll or not
6. 3rd Party Vendor Letter
a. Makes service providers aware of the company’s position on data security
b. Request that service provide either implement the ADRS program, show
documented evidence of a comparable program that they have in place or
complete an indemnification and hold harmless agreement.
c. Documents your investigation of your company’s contract and service
providers Fulfills the company’s requirements per the Red Flag Rules
7. Indemnification & Hold Harmless Agreement
a. Documents that service providers understand all provisions of FACTA
and Red Flag rules and accept all responsibility for NPI/PII that they have
access to.
ALL AT NO DIRECT COST TO YOUR COMPANY
If you would like more information on identity theft or the Red Flag Rules please do not
hesitate to call my office directly. I can be reached at 404-474-2273 or
KJ3rd@KJ3rd.com. Thank you for your time and have a blessed day.
The document was created by K.J. Anderson III, CITRMS. Any program that is
implemented must be tailored to the nature and complexity of the business it is designed
for. Therefore the information contained in this document is not to be taken as legal
advice.
| For an article written by the Texas Workforce Commission on FACTA Click Here |
| For a copy of the FTC June 2008 Business Alert on the Red Flag Rules Click Here |
| For a detailed report on identity theft and how it effect individuals Click Here |
 |  |  |  |  |  |  |
| For a copy of the FTC guide "Protecting Personal Information A Guide for Businesses Click Here |