| FACTA & The Red Flag Rules |
| The FACTA (Fair Accurate Credit Transaction Act) law was passed in 2003 and made effective in 2005. The laws not only allows for individuals to obtain a free copy of their credit report, it also holds business executives responsible for the personal identifiable information that they keep on clients and employees. The law applies “to any business or individual who collects, maintains or processes consumer information for an intended business purpose”. In the event that consumer information is lost under the wrong set of circumstances the law specifically allows for: • Fines of up to $3500.00 per instance per occurrence • Class action and individual lawsuits with no statutory limitation • Responsibility for damages • Executives within an organization to be held responsible both criminally and civilly During November 2007 the federal government passed its amendment to FACTA called the Red Flag Rules. The Red Flag Rules are effective January 2008 and have a mandatory compliance date of November 1, 2008. The new amendment requires a business to have: • A Written Identity Theft Prevention Plan and Mitigation Plan • Written approval of the plan by the Board of Directors or an employee at the level of senior management • A designated security officer or compliance officer • Mandatory training for all employees who have access to personal identifiable information • Documented evidence that it investigated the compliance of all its contract and service providers The Red Flag Rules apply to a wide variety of businesses on different levels. The law appears to apply to only financial institutions and creditors however the definition of those entities is so broad that it applies to virtually all businesses. The following are excerpts from definitions taken from the actual Red Flag Rules "Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor" to include a person or entity who arranges for the extension, renewal, or continuation of credit, which in some cases could also include third-party debt collectors and any entity that defers billing to its client base. As outlined in the final rule, "creditor" specifically includes, but is not limited to, lenders such as banks, finance companies, automobile dealers, and mortgage brokers, insurance brokers, real estate brokers( who manage property, use a credit report for any purpose or arrange for the acquisition of a mortgage) and creditors such as utility companies, telecommunications, and cellular /wireless companies. "Account" - Under the Red Flags Rule, "account" means: "a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes." Account specifically includes: "(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account." Because a person may establish a relationship with a creditor, such as an automobile dealer, realtor, or a telecommunications provider, primarily to obtain a product or service that is not financial in nature, "account" includes relationships with creditors that are not financial institutions, and the definition is no longer tied to the provision of "financial" products and services. "Covered Account" -Under the Red Flags Rule, a "covered account' means: "(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks." Red Flag Rules recently became effective in January 2008, and compliance is required by November 2008. The FTC’s enforcement of the Rule was extended to Nov. 1, 2009: "Many businesses don't realize, that even though the FTC isn't enforcing compliance, it doesn't mean those businesses won't be liable if a data breach or loss of information occurs," Debra Geister, Director of Fraud Prevention and Compliance Solutions at Lexis-Nexis. The key issue is that the law was effective January 1, 2008. The enforcement date begins May 1, 2009. |
| For an article written by the Texas Workforce Commission on FACTA Click Here |
| For a copy of the FTC June 2008 Business Alert on the Red Flag Rules Click Here |
| For a detailed report on identity theft and how it effect individuals Click Here |
 |  |  |  |  |  |
| For a copy of the FTC guide "Protecting Personal Information A Guide for Businesses Click Here |
TOP 10 REASONS TO OUTSOURCE IDENTITY THEFT
PREVENTION & FACTA RED FLAG COMPLIANCE
Your company’s reputation and customer relationships are at stake in a data breach, so you can’t afford missteps in data breach
prevention or privacy compliance. Yet many organizations attempt to handle data breach risks on their own, without professional
assistance, which may be why lost business typically accounts for 65% of the costs following a data breach.
The Identity Theft Education Center’s mission and sole focus is assisting companies in identity theft education, staff training and data
breach prevention. Don’t try to deal with data breach risk using a "do-it-yourself" methodology. You seek outside legal advice, you
use an outside accounting firm, you use an outside PR firm, so don’t try to handle the risks surrounding something as potentially
devastating as a data breach without outside expertise.
The Top Ten reasons to outsource data breach prevention, staff training and privacy compliance are:
1. You only have one chance to get it right, you can’t afford to make it up as you go. Managing a data breach incident is very similar to a
product recall with all of the related risks and issues. By outsourcing the entire process, you’ll ensure adherence to best practices, minimize
reputational damage and ensure compliance with legal statutes.
2. Data breaches are governed by an inconsistent and hard to decipher set of data breach notification laws from over 44 states, and many of
these states are also working on prescriptive privacy protection legislation. You shouldn’t risk inadequate compliance with all the jurisdictions
where you may have customers and employees.
3. Independent assessment of your internal and external risk exposure by certified professionals and mitigation plans based on industry-
standard principles will allow you to better understand and address data breach risk factors.
4. Experts can help you handle identity theft prevention right, the first time. A poorly thought out or crafted identity theft prevention policy
and mitigation plan has been proven to increase customer churn and may leave your company exposed to civil liability for the actual and punitive
damages of affected individuals.
5. Having your compliance handled by a seasoned credentialed source ensures that you stay up to speed on all areas of vulnerability and
newly passed legislation that apply to your particular business.
6. Having a well trained workforce is the best defense against data breaches. You can have the best IT and policies and procedures but
neither will protect your company from a well intentioned yet improperly educated employee who just doesn’t know any better.
7. The right outsource partner will keep meticulous records of all communications, notification, contact and interactions with third party
vendors, providing you with a critical tool to defend your organization in case of litigation.
8. Offering a comprehensive personal mitigation plan dramatically reduces the potential for "damages" and improves victim satisfaction when
experts assist them with restoring their identity to pre-theft status. The Identity Theft Education Center offers services provided by Kroll
Background Inc. Kroll is the largest Risk Management Firm in the world. (www.kroll.com ).
9. The legislative landscape is changing rapidly. Requirements for complying with the FACTA Red Flag regulations and the other federal and
state legislation are complex and shouldn’t be left to chance.
10. Outsourced identity theft prevention can be 50% less expensive than handling it internally, due to the vendor's experience, scale and use
of best practices**
The Do’s and Don’ts of FACTA Red Flag Compliance
Employee Training:
A lot of brokers have used programs provided by credit companies and have either trained their staff themselves or used an online training module
which unfortunately could cause major problems for brokers down the line. A major point of contention during civil litigation will be the
credentials of the trainer who trained your staff as well as the curriculum they were trained on. A key rule of thumb is to make sure all employees
are trained on all five areas of identity theft, the laws as well as what policy the company puts in place.
Vendor Investigation:
80% of all breaches occur via a 3rd party contract and service providers. It is not enough to just mail a letter. A detailed investigation of the
companies your company does business with is absolutely crucial. Even if a company you share data with does experience a data breach, you
want to make sure you have sufficient documented evidence of the fact that you investigated their compliance prior to sending them the data they
lost. This is again another major point of contention which could dramatically increase or decrease your company’s liability in the event of a
breach.
Your understanding of identity theft:
The federal government recognizes 5 common types of identity theft. Therefore if your program or the training involved was only financial in
nature, you have not addressed 80% of your compliance needs and liability associated with it.
Your program being tailored to the nature and complexity of your particular business:
The law states that “your particular program must be tailored to the nature and complexity of your particular business.” This means that you
unfortunately can’t copy what someone else has done and expect it to be adequate for your business. In order to document that you have tailored
a program to your business’s specific needs you need to be able to show that you have conducted some sort of risk assessment. If you can not
document that you ever took a serious look at your company’s vulnerabilities it would be next to impossible to show you tailored your program to
support them.
The Identity Theft Education Center
FACTA Red Flag Compliance Program
Provided by Anderson & Associates
Risk Assessment
1) We provide a detailed risk assessment in order to evaluate a companies vulnerabilities pertaining to data security.
“Effective data security starts with assessing what information you have and identifying who has access to it. Understanding how personal
information moves into, through, and out of your business and who has- or could have- access to it is essential to assessing security
vulnerabilities. You can determine the best ways to secure information only after you’ve traced how it flows.”
Protecting Personal Information A Guide for Business. Federal Trade Commission
Policies and Procedures
2) We then take the findings from the risk assessment to assist the company with developing it’s Identity Theft Sensitive and
Non-Public Information Policy
The purpose behind an Identity Theft Sensitive and Non-Public Information policy is to protect the non-public information (NPI) and
Personally Identifiable Information (PII) an business collects from customers and employees.
This Information can be names, addresses, phone numbers, credit card numbers, drivers license numbers, bank account numbers, social security
numbers etc. Basically any data that identifies an individual and could be used to steal his or her identity.
3) We assist you with documenting the appointment of a Security Officer as well as provide them access to training
Its not enough to just appoint a security officer and not provide them any specific training. How would your employee ever be able to effectively
handle their new responsibilities if they have not been trained to do so.
Mitigation Plan
4) We then provide your company with a new confidentiality agreement documenting the employee’s acknowledgement of the law,
participation in training, receipt of policy and acceptance of liability.
“ Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data.
Make sure they understand that abiding by your company’s data security plan is an essential part of their duties.”
Protecting Personal Information A Guide for Business. Federal Trade Commission
5) We then provide a Certified Identity Theft Risk Management Specialist to provide comprehensive training to your staff on
identity theft, the laws, your company’s new policy as well as the importance of protecting client and other employees PII/NPI.
“Regularly remind employees of your company’s policy- and any legal requirement- to keep customer information secure and confidential…..
Create a “culture of security” by implementing a regular schedule of employee training. Update employees as you find out about new risks and
vulnerabilities. Make sure training includes employees at satellite offices, temporary help, and seasonal workers. If employees don’t attend,
consider blocking their access to the network.”
Protecting Personal Information A Guide for Business. Federal Trade Commission
6) Document that staff was provided access to a personal mitigation plan which provided comprehensive protection.
Mitigation Plan provided by Kroll. Kroll was founded in 1972 and acquired in 2004 by Marsh McLennan Companies Inc., a NYSE listed
company. They are headquartered in New York and have offices in more 25 countries worldwide with over 4000 employees. They are the only
data security and breach recovery solution provider to employ licensed investigators (many former FBI and CIA agents) with thousands of hours
of work experience and the hands-on understanding required to methodically restore an individual’s identity to pre-theft
status. www.Krollfraudsolutions.com
Documenting offering employees and clients access to a personal mitigation plan dramatically lowers the company’s Liability pertaining to the
actual and punitive damages of the effected individuals.
3rd Party Contract & Service Providers
7) We then draft the third party notice letter for your company.
8) We follow up on the letter and provide your company with a third party vendor report completed by a Certified Identity Theft
Risk Management Specialist.
Continuous Updates
9) We then give you access to continuous training, education and access to web based tools to assist you with additional risk assessments.
The Identity Theft Education Center President
K.J. Anderson III Biography Sheet
K.J. Anderson III is one of the nations leading experts on Identity Theft. He has recently been appointed as the new president of the Identity Theft
Education Center. While others were scrambling to tell people to lock their mailboxes and shred their credit card statements, Mr. Anderson was
warning consumers of the potential health risks, social Security and tax issues, financial disasters, and the reality that they could face false
imprisonment as a result of someone stealing their identity. He has helped to implement Identity Theft Prevention and Mitigation programs which
today protect tens of thousands of American’s identities and even more recently, he has been educating major corporations, hospitals, independent
physician practices, government agencies and small businesses on how to better protect the Identities and Non-public Information of their
employees and customers.
Mr. Anderson has traveled extensively across North America speaking to groups and providing training to many organizations. His primary focus
has been on FACTA and the Red Flag Rules. In 2006 he conducted a workshop on FACTA for the Mid-America Mortgage Brokers Association
with the then president NAMB Jim Nabors and most recently he has been lecturing and conducting workshops for numerous individual state
mortgage broker and banker associations. He was recently featured at the joint Hawaii state conference for the Mortgage Banker and Mortgage
Broker Associations. Now since the FTC has stated that the mortgage community must comply with the FACTA Red Flag rules he has become
one of the nations most sought after speakers and consultants.
As a Speaker he has shared stages with the Attorneys General office, the Federal Trade Commission and numerous law enforcement agencies. His
workshops have been used for continuing education for numerous industries including human resources, mortgage, financial services, and
medical. He has trained hundreds of other groups of law enforcement officers, insurance agents and companies, human resource managers, risk
management professionals, corporate leaders, and average citizens.
He is a member of the prestigious International Association of Privacy Professionals and he is the Senior Certified Identity Theft Risk Management
Specialist for the state of Georgia accredited by the Institute of Fraud and Risk Management.
K.J. Anderson III, CITRMS
191 Peachtree Street Atlanta, GA 30303
Direct: 404-474-2273 Email: KJ3rd@KJ3rd.com
www.KJ3rd.com www.linkedin.com/in/kj3rd
The Identity Theft Education Center employs only Certified Identity Theft Risk Management Specialist (CITRMS) accredited thru the Institute of
Fraud and Risk Management.
For Additional Information contact our office directly at 404-474-2273 or go to
wwww.identitythefteducate.com
For additional information on and references for K.J. Anderson III go to:
www.linkedin.com/in/kj3rd
| U.S. Congress Considers Small Business Exemptions to the Red Flags Rule Click Here For Details |