Monday, May 24, 2010
Do You Comply With the FTC's Red Flag Rule?
You may not even have heard of the federal government's Red Flag Rule, but there's a good chance by June 1 you'll need to comply with it.
The rule requires businesses that are potential targets for identity thieves to develop plans to spot fraud "red flags" and prevent them.
Think the rule only applies to financial institutions? Think again. It requires all "creditors" to comply with the rules, but the definition of creditor is very broad, and includes "businesses or organizations that regularly provide goods and services first and allow customers to pay later," according to a Frequently Asked Questions guide prepared by the Federal Trade Commission, which will enforce the rule. Translation: If you invoice for goods or services, you're a creditor.
You could be forgiven for hoping the government will change the enforcement deadline, considering it's already been extended several times since the original date of November 2008. But of course that won't excuse you from complying. And just having some rules – written or unwritten – about not leaving customer information lying around won't get you off the hook – you have to have a written policy and procedures specifically to handle identity theft.
"I suspect a lot of small businesses were hoping this ultimately wouldn’t happen," said Tanya Forsheit, co-founder of InformationaLawGroup, a Los Angeles firm that advises businesses on privacy and data security compliance.
The rules – among them, recommendations for data encryption plus regular reviews, annual updates of your policy, and training of staff – can seem onerous, but the FTC has some online do-it-yourself tools and templates to help.
Identity theft has been the number one fraud complaint filed with the FTC for the better part of a decade. So what kind of financial activity constitutes a "red flag" under the new rules? For starters, suspicious documents (like a photo ID that doesn't match the person presenting it), unverifiable addresses and Social Security numbers, and questionable account activity from customers, such as sudden spending on goods that can be resold for cash, frequent requests for cash advances, or failures to make payments on balances after making initial payments. inc.com/news