Ester Horowitz: How to deal with the Red

Flag Rule on identity theft

by Commentary

Published: September 2, 2009

On Nov. 1, 2008, the Federal Trade Commission enacted the Red Flag Rule on Identity Theft.

Approximately 80 percent of U.S. businesses will be required to comply by Nov. 1 of this year.

While many businesses are not enthusiastic about it, the question that begs asking is why

wouldn’t they be?

Identity theft is not only a threat to our national security, it infiltrates our communities,

encroaches on our liberties and is just plain bad for business. According to CIO magazine, when

your business experiences a security breach, 20 percent of your customers will no longer do

business with you. 40 percent will consider ending the relationship and 5 percent will hire

lawyers.

There are people among us who are living under someone else’s identity. They are our

neighbors. They purchase our products and services, use our resources and leave us with the

fallout amounting to an average of $92,500 per person. In addition, the cost for not complying

with the Red Flag Rule is $2,500 per incident if charges are brought by federal and state agencies

and $1,000 in civil liabilities per incident with no statute of limitations from actions brought by

consumers.

The FTC is asking businesses to comply with the Red Flag Rule by following four basic steps:

1) Detect the possibility of identity theft

2) Create policies and procedures

3) Educate employees

4) Maintain vigilance.

To initiate a compliance program, companies are required to obtain the complete support and

cooperation of its board of directors and owners. They also must elect a security officer

responsible to oversee proper implementation.

Complying with the first step of the process can be as simple as establishing a chart about how

information flows in the organization. This is a good step for 98 percent of small businesses that

have less than 25 employees. The flow chart is also an excellent tool to detect hidden wealth the

company may not realize. Following the flow of information is akin to following the processes of

the company. When you follow the processes you are able to detect misalignments in the work

flow that can result in poor productivity and/or money left behind. Therefore, identifying red

flags has an important benefit and is well worth the invested time.

For larger companies, the detection process takes the most effort to perform. Some organization

hire outside consultants at an average of $150 per hour to perform the task and others elect a

team of people in the company that represent different disciplines to form a compliance

committee that reports to the security officer.

Many companies already performed a due diligence about how information flows in their

organization when they were required to follow other regulations such as Graham Leech Bliley

or the Health Information Portability and Accountability Act.

Rather than duplicate this effort, they can up date the previous due diligence to reflect what is

happening in the company today and then determine where the potential is for identity theft.

Policies and procedures generally reflect what was found in the due diligence process. Small

organizations can take advantage of templates offered by the FTC, trade organizations, attorneys,

consultants, and a few highly touted “plug-and-play” programs. Many offer them at no cost, but

make sure when you obtain the templates that they can be adapted to reflect your company’s

information.

Educating employees seems to be the area where most companies experience difficulty. There

are only a limited number of organized educational programs available, such as through your

trade association. Costs vary according to membership. The most widely endorsed program is

available through PrePaid Legal and is part of an Affirmative Defense Response System, which

includes monitoring and restoration services.

Finally, maintaining vigilance once the organization completes the first three steps is crucial.

Make sure new employees are educated and a periodic due diligence for red flags is performed.

In addition, the regulation requires that you contact your business associates and vendors to

ensure that they are also complying with identity theft regulations.

Above all else, before we are people that either own or work for a company, we are a collective

of individuals with many roles living in a community. We owe it to ourselves, our children and

our community to perform this process. Complying with the FTC Red Flag Rule keeps

businesses and neighborhoods safe.

Ester Horowitz is a certified identity theft risk management specialist and certified business

counselor. She can be reached at (516) 318-8655 or via e-mail at witsowitz@verizon.net.