Red Flags Rule: Are we there yet? Auto Dealerships need to comply...

June 1, 2010, is just the latest in a series of enforcement deadlines for the Federal Trade Commission's Red Flags Rule.

The rule, which actually took effect Nov. 1, 2008, requires businesses handling credit, like dealerships, to adopt written plans to identify, detect, monitor and respond to potential instances of identity theft.

But the FTC has delayed enforcing the rule four times -- first to May 1, 2009; then to Aug. 1, 2009; then to Nov. 1, 2009; and finally, to June 1, 2010.

I've talked to dealers, vendors, trade association executives and lawyers who aren't really sure the latest enforcement deadline will stick.

But one thing is certain: Dealers better comply with the law.  autonews

Do You Comply With the FTC's Red Flag Rule?

Regulations to help prevent identity theft go into effect June 1, and chances are you've got some work to do to comply with them. Here's what you need to know.

You may not even have heard of the federal government's Red Flag Rule, but there's a good chance by June 1 you'll need to comply with it.

The rule requires businesses that are potential targets for identity thieves to develop plans to spot fraud "red flags" and prevent them.

Think the rule only applies to financial institutions? Think again. It requires all "creditors" to comply with the rules, but the definition of creditor is very broad, and includes "businesses or organizations that regularly provide goods and services first and allow customers to pay later," according to a Frequently Asked Questions guide prepared by the Federal Trade Commission, which will enforce the rule. Translation: If you invoice for goods or services, you're a creditor.

You could be forgiven for hoping the government will change the enforcement deadline, considering it's already been extended several times since the original date of November 2008. But of course that won't excuse you from complying. And just having some rules – written or unwritten – about not leaving customer information lying around won't get you off the hook – you have to have a written policy and procedures specifically to handle identity theft.

"I suspect a lot of small businesses were hoping this ultimately wouldn’t happen," said Tanya Forsheit, co-founder of InformationaLawGroup, a Los Angeles firm that advises businesses on privacy and data security compliance.

The rules – among them, recommendations for data encryption plus regular reviews, annual updates of your policy, and training of staff – can seem onerous, but the FTC has some online do-it-yourself tools and templates to help.

Identity theft has been the number one fraud complaint filed with the FTC for the better part of a decade. So what kind of financial activity constitutes a "red flag" under the new rules? For starters, suspicious documents (like a photo ID that doesn't match the person presenting it), unverifiable addresses and Social Security numbers, and questionable account activity from customers, such as sudden spending on goods that can be resold for cash, frequent requests for cash advances, or failures to make payments on balances after making initial payments. inc.com/news

Don't be surprised if more businesses start asking you for identification

It's part of an effort to protect against identity theft.

Be prepared to pull out your driver's license on your next visit to the dentist. And don't be surprised if a retailer asks for a birth date or mother's maiden name if it's giving you credit for your big-ticket purchase.

They're just following federal rules to protect consumers from identity theft. Beginning next month, a wide range of businesses — auto dealers, cell phone companies, real estate agents, mortgage brokers, utilities and health care providers — must start complying with "Red Flag Rules." The rules are meant to stop fraud before it happens by requiring certain businesses to look for signs that customers might be imposters and, if there are signs that they are, to take action. baltimoresun

Many businesses not yet ready for June 1 deadline

Many small businesses have delayed implementing the identity theft “red flags” rules despite the approaching June 1 deadline — not because they don’t know about them, but because there have been so many extensions to the deadline that companies have put them on the back burner.

The enforcement deadline has been extended several times since the original date of November 2008 to give businesses more time to comply.

“The topic has fallen off the radar. When it got extended last year, people thought ‘OK, there’s no rush.’ I would say there are still a lot of businesses not ready for the deadline,” said Craig Strong, a regional director of human resources for the California Employers Association, a non-profit that advises employers on compliance issues.

Law firms, which the Federal Trade Commission said were covered by the rules, have successfully delayed compliance under a court ruling from a U.S. District Court in Washington, D.C., which is currently on appeal.

All other covered businesses, including accountants and doctors who are hoping to win exemptions, should assume they are covered and delay compliance at their peril, lawyers say.

“I suspect a lot of small businesses were hoping this ultimately wouldn’t happen,” said Tanya Forsheit, an attorney who co-founded InformationLawGroup in Los Angeles, Calif., a firm that advises businesses on privacy and data security compliance.

The rules require a written program for spotting and handling red flags that signal identity theft, training of employees and annual review of the policy.

Initially many businesses were confused by the broad definition of “creditor” and it came as a shock that this included not just banks and traditional lenders, but any business that allows customers or clients to defer payment for goods and services.

Although it’s still possible that the deadline will be extended yet again, lawyers are advising businesses to assume the rules will be enforced as of June 1.

“Everything that’s required is a good practice anyway,” said John Seiver, of counsel to Davis Wright Tremaine in Washington, D.C.

Small businesses

All businesses that bill for goods and services, except for those that deal with cash transactions, are covered.

Although most companies already have common sense rules about not leaving customer information lying around, “hardly any of them had a written procedure or policy specifically dealing with identity theft,” said Strong.

Small businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors. wislawjournal

Seeing red: FTC to begin enforcement of identity theft 'Red Flag' Rules June 1, 2010

After multiple delays, the Federal Trade Commission (FTC) will begin enforcement of the Red Flag Rules starting on June 1, 2010. The purpose of the Red Flag Rules is to prevent, identify, and report identity theft. In general, most healthcare organizations will be considered “creditors” that manage “covered accounts” under these rules and will be required to enact formal, written policies and procedures to comply with the new law. The Red Flag Rules define “creditor” broadly to include entities that regularly defer payment on goods or services or provide goods or services and bill for them later. Many healthcare providers will fall into the category of “creditor.”

If the Red Flag Rules apply to an organization as described above, the organization is required to implement written policies and procedures to identify and address the “red flags” that indicate identity theft. For healthcare organizations, the key is developing a list of red flags that may indicate that a person presenting for services is not who they say they are. In practice, organizations may already have procedures that cover much of what is required, but the new rules require formalized processes in written policies and procedures.
lexology.com

Medical Groups Ask for Exemption From FTC's 'Red Flags' Regulations

The American Medical Association, American Dental Association and American Veterinary Medical Association in a joint letter to members of the Federal Trade Commission requested that health professionals be excluded from the "Red Flags" rules, which require many businesses to take specific steps to minimize identity theft, Health Data Management reports (Health Data Management, 1/29).

The Fair and Accurate Credit Transactions Act of 2003 mandated the Red Flags rule, which requires creditors and financial institutions to enact procedures to identify, detect and respond to indicators of identity theft. FTC classifies hospitals and physicians as creditors because they accept deferred payment for services (iHealthBeat, 7/30/09).

In the letter to FTC Chair Jon Leibowitz, the medical groups state that the Red Flags rule "imposes an unjustified, unfunded mandate on health professionals for detecting and responding to identity theft." ihealthbeat

Red Flags Compliance: 3 Common Deficiencies - Jeff Kopchik, FDIC

It's been over a year now since banking regulators began examining institutions for compliance with the Identity Theft Red Flags Rule. What have been the common deficiencies, and what will examiners be expected in year two?

Kopchik was the Team Leader of the FDIC's 2004 study "Putting an End to Account-Hijacking Identity Theft." He was the FDIC's primary representative on the FFIEC staff working group that drafted the 2005 guidance on Authentication in an Internet Banking Environment. Kopchik was also involved in interagency rulemaking efforts to comply with the Fair and Accurate Credit Transactions (FACT) Act, and was involved in the creation and implementation of the Gramm-Leach-Bliley Act (GLBA) interagency information security guidelines, supervisory guidance on customer notice, FFIEC Business Continuity Planning Booklet, and FDIC guidance on wireless networks. Read interview.

Red flags rule to curb ID theft

The red flags rule is supposed to help curb identity theft, by shifting some of the burden from consumers to businesses. Learn more at www.ftc.gov/redflagsrule. But you should still keep a close watch on your personal information. Here are some suggestions from the Federal Trade Commission:

Protect your Social Security number. Don't carry your card if you don't need it. Ask why someone needs it if it is requested.

Handle mail with care. Shred documents that contain credit card numbers, banking information and credit card offers. Limit credit card offers: Call 888-5-OPT-OUT (888-567-8688).

Don't give out personal information on the phone, via mail or the Internet, unless you initiated contact and are sure of whom you're dealing with. Miami Herald

Red Flags Rule: Comply Now, Avoid Lawsuit Later

The scenario is far too familiar: Patient gets a call from a hospital about a bill. Patient says they never went to the hospital. Hospital says they did.

Now you've got a case of healthcare identity theft—and maybe a class action lawsuit.

Compliance with the Federal Trade Commission's new Red Flags Rule is critical for healthcare organizations—regardless whether the FTC postponed its enforcement date to August 1. The compliance date is actually November 1, 2008. That hasn't changed.

Sai Huda, chairman and CEO of Compliance Coach, a San Diego software company that specializes in automated regulatory compliance solutions, says bluntly of the FTC's enforcement delay: "So what? Anyone who is out of compliance is out of compliance."

Patients seeking damages from hospitals in identity theft cases have a leg up against hospitals that have yet to comply with the Red Flags Rule, Huda says. Health Leaders Media

Red Flags Rule entension proliferates medical identity theft

For a fourth time, the Federal Trade Commission (FTC) has delayed enforcement of the Red Flags Rule, an identity theft law--now until June 1, 2010. The FTC announcement came late this afternoon. The Red Flags Rule is a law intended to help control the spread of identity theft.

The rule was scheduled to be enforced for millions of businesses on November 1, 2008, but FTC enforcement has been extended on four separate occasions. The rule has been in effect for those financial institutions regulated by federal banking and credit union authorities since the original deadline. There has been controversy surrounding enforcement of the rule for other types businesses regulated by the FTC.

Under the law, businesses that allow customers to purchase goods or services on credit must take reasonable and appropriate steps to authenticate that they are extending credit to a real person and not an identity thief. San Francisco Examiner

FTC Red Flags identity theft protection rules to hit Nov. 1

Baring a last minute delay, the Federal Trade Commission is set to enforce its identity theft rules known as Red Flags on Nov. 1.


The rules have been delayed three times already and were originally set to become practice Nov. 1, 2008.

NetworkWorld Extra: 12 mad science projects that could shake the world

Under the Red Flags rules all companies or services that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.
Computer World

WAKE UP! Red Flags Rule Is Here…

Can I Have Your Attention Please?

Ahem, down here guys...OK, here we go. Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.

In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.

More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 339,674,601, this estimated to be only 20% of what the actual number truly is!

What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!

Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?

Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.

To whom do these laws and regulations apply?
The General Rule of thumb is that if your business or entity collects, uses, transmits or stores any identifiable information about your customers and or employees you must comply with the laws and regulations. This includes: name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc.

Not every law or regulation is applicable to every business but every business must meet minimum standards of information security or face heavy fines or even civil action should a breach occur.

What is a Red Flag?
A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:

• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.

• Educating your employees on these protocols.

• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).

Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.

Who is a Candidates for Red Flag Rule?

• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.

•Lawyers

•CPA's

•Contractors

• Utilities

• Retailers

• Online merchants

• Telecommunications companies

• Debt collectors

• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.

What if I don’t comply?
Businesses subject to Red Flags Rule must comply by Nov. 1, 2009 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!

Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here people...do I have your attention now?

So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?

1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.

2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution

3. Develop and start implementing your Company’s Red Flags Rules protocol.

4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name! InfoSafe

In conclusion:
The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”…WOW! Is that all?

Tracy Lund
Computer Security & Identity theft

(831) 661-0598

http://safepcsolution.com/

Red Flags Rule Facts

What is Red Flags Rule? Identity theft is the fastest growing crime in the 21st century. The Federal Trade Commission now requires all businesses (large or tiny) that collect and/or store personal information from customers to protect their customer’s identity.


Candidates for Red Flag Rule compliance:

• Doctors, dentists, accupuncturist, chyropractors, massage therepists, nutritionists, mental health providers etc.

•Lawyers

• Accountants

•CPA's

•Contractors

• Utilities

• Retailers

• Telecommunications companies

• Deb collectors

• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.

What if I don’t comply? Firms that are subject to the Rule must comply by Nov. 1, 2009 or face the possibility of enforcement action by the Federal Trade Commission (FTC).

What is the penalty? A $3,500 fine per customer whose data is stolen or leaked.

Cybercrime is the fastest growing white collar crime in the world. Cybercriminals generate more profit now than the illegal drug trade.

50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately!

FTC's Red Flags Rule: Are you ready?

The Federal Trade Commission (FTC) has issued regulations intended to reduce the incidents of identity theft. The regulations, known as the Red Flags Rule, require certain firms to develop, adopt and implement written programs designed to detect, prevent and mitigate the effects of identity theft. Firms that are subject to the Rule must comply by Nov. 1, 2009 or face the possibility of enforcement action by the FTC.


The rule applies to a wide variety of businesses and non-profit organizations that may not be aware of it or its requirements. Many firms not normally involved with the FTC will have to comply with the rule. There is no exemption for small firms or non-profit groups.

To know whether your business or organization is subject to the Red Flags Rule, you must determine whether you are a “financial institution” or a “creditor” as the regulations define those terms.

Your firm is a financial institution if it is a state or national bank, state or national savings and loan association, state or national credit union, a mutual savings bank, or if it holds accounts or deposits from which consumers can pay or transfer funds to third parties. For example, a mutual fund that offers check writing or debit card privileges is a financial institution for purposes of the rule.

If your firm is not a financial institution, it may still have to comply with the rule if it is a creditor. Your firm is a creditor if it regularly extends credit or arranges with someone else for the extension of credit or makes credit decisions.

This includes organizations that provide products or services and allow for payment at a later date. Examples of creditors include law practices, accounting firms, medical practices, auto dealers and mortgage brokers, to name just a few.

If your firm is a financial institution or a creditor, you must determine whether it offers or maintains covered accounts. A covered account is either a consumer account designed to permit multiple payments or transactions, such as credit card accounts, mortgage loan accounts, cell phone accounts, auto loan accounts or savings or checking accounts, or any other account that poses a reasonably foreseeable risk of identity theft.

Firms will have to evaluate identity theft risk levels by reviewing the methods they use to open accounts, the methods they use to access accounts and any previous experience they have had with identity theft.

If your firm is a financial institution or a creditor but does not offer or maintain covered accounts, you won’t have to develop a written identity theft program now. However, you will have to conduct risk assessments from time to time to determine whether changes have occurred that may cause the Red Flags Rule to apply.

If you determine that your firm is a financial institution or a creditor and offers or maintains covered accounts, you must develop and implement a program designed to detect, prevent and mitigate identity theft. The program must be in writing and it must be formally adopted by your firm’s board of directors or, if you have no board of directors, by a senior management level employee.

The regulations do not provide a model form of identity theft prevention program for all firms to adopt. Instead, they require that each firm adopt a program that is appropriate for itself, taking into account its size, complexity and the nature of its activities.

However, the FTC offers on its Web site guidance and a template that firms with minimal risk of identity theft may use in creating their programs.

The regulations describe certain elements that each program should include. Each program must provide for policies and procedures that will: identify patterns, practices or activities that will alert the firm to the possible occurrence of identity theft—the so-called Red Flags; detect Red Flags that the program has incorporated; respond to any Red Flags that the firm may detect; and ensure that the firm updates its program periodically to account for any changes in risk to its customers.

The regulations list several categories of Red Flags and state that firms should incorporate those that are relevant into their programs. The categories include: alerts received from consumer reporting agencies or fraud detection service providers; presentation of suspicious documents; presentation of suspicious personal identification information; suspicious activity relating to a covered account; and notices from customers, victims of identity theft, law enforcement agencies or others regarding possible identity theft. An appendix to the regulations provides more detailed examples of Red Flags from each category.

If your firm is subject to the Red Flags Rule and fails to develop, adopt and implement an identity theft program by Nov. 1, 2009, it may be subject to enforcement action by the FTC. This could include an action in court seeking an injunction to compel compliance. It could also include a penalty of up to $2,500 per incident of knowingly violating the rules.

The Red Flags Rule applies to a wide range of businesses and non-profit organizations that understandably don’t consider themselves to be financial institutions or creditors and may be unaware of the rule. Still, those firms will have to comply by developing, adopting and implementing programs to detect, prevent and mitigate identity theft.

With a November 1, 2009 deadline fast approaching, firms should act now to determine whether the rule applies to them and if it does, they should begin work soon on their identity theft programs.

The Business Ledger

Update on Federal Trade Commission Red Flag Rules relating to identity theft

The Red Flag Rules, issued by the Federal Trade Commission (“FTC”) and other regulatory bodies, become effective November 1, 2009, and require certain entities to establish programs that facilitate the detection, prevention and mitigation of identity theft.

What entities are subject to the Red Flag Rules?

The Red Flag Rules apply to financial institutions and creditors that create and maintain covered accounts (defined below). At first blush, an entity may think that it is not subject to the Red Flag Rules because it is not a credit card company or financial institution. However, although the Red Flag Rules certainly apply to financial institutions, they also apply to any “creditor.” The definition of “creditor” is broad. It includes any entity that regularly (1) extends or renews credit (or arranges for others to do so); and (2) provides goods and services to others and allows the consumer to defer payment. The ultimate consumer need not be an individual.

The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, the FTC cautions that its list is not exhaustive. Briefly, the FTC considers the following groups as prime candidates for Red Flag Rule compliance:

• Doctors, dentists, and other health care providers;

• Accountants and lawyers;

• Utilities;

• Telecommunications companies;

• Debt collectors;

• Retailers; and

• Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.

Entities falling into these categories will need to evaluate their obligation to comply with the Red Flag Rules. As described below, the determination will be based in part upon the risk of identity theft among the accounts the entity holds.

The formal obligation to comply with the Red Flag Rules apply to entities with covered accounts. Therefore, all entities should, as an initial matter examine their internal operations to make sure that they do not create or maintain covered accounts. The definition of a covered account, like the definition of creditor, is also broad. A covered account can be (1) consumer accounts designed to permit multiple payments or transactions; or (2) any other account that presents a reasonably foreseeable risk from identity theft. However, even businesses that have determined they do not have covered accounts still must conduct periodic risk assessments to ascertain whether any changes to that determination have occurred.

 Summary of Guidelines for Compiance.

WTN News