red flag libn article
TRANSCRIPT
Ester Horowitz: How to deal with the Red
Flag Rule on identity theft
by Commentary
Published: September 2, 2009
On Nov. 1, 2008, the Federal Trade Commission enacted the Red Flag Rule on Identity Theft.
Approximately 80 percent of U.S. businesses will be required to comply by Nov. 1 of this year.
While many businesses are not enthusiastic about it, the question that begs asking is why
wouldn’t they be?
Identity theft is not only a threat to our national security, it infiltrates our communities,
encroaches on our liberties and is just plain bad for business. According to CIO magazine, when
your business experiences a security breach, 20 percent of your customers will no longer do
business with you. 40 percent will consider ending the relationship and 5 percent will hire
lawyers.
There are people among us who are living under someone else’s identity. They are our
neighbors. They purchase our products and services, use our resources and leave us with the
fallout amounting to an average of $92,500 per person. In addition, the cost for not complying
with the Red Flag Rule is $2,500 per incident if charges are brought by federal and state agencies
and $1,000 in civil liabilities per incident with no statute of limitations from actions brought by
consumers.
The FTC is asking businesses to comply with the Red Flag Rule by following four basic steps:
1) Detect the possibility of identity theft
2) Create policies and procedures
3) Educate employees
4) Maintain vigilance.
To initiate a compliance program, companies are required to obtain the complete support and
cooperation of its board of directors and owners. They also must elect a security officer
responsible to oversee proper implementation.
Complying with the first step of the process can be as simple as establishing a chart about how
information flows in the organization. This is a good step for 98 percent of small businesses that
have less than 25 employees. The flow chart is also an excellent tool to detect hidden wealth the
company may not realize. Following the flow of information is akin to following the processes of
the company. When you follow the processes you are able to detect misalignments in the work
flow that can result in poor productivity and/or money left behind. Therefore, identifying red
flags has an important benefit and is well worth the invested time.
For larger companies, the detection process takes the most effort to perform. Some organization
hire outside consultants at an average of $150 per hour to perform the task and others elect a
team of people in the company that represent different disciplines to form a compliance
committee that reports to the security officer.
Many companies already performed a due diligence about how information flows in their
organization when they were required to follow other regulations such as Graham Leech Bliley
or the Health Information Portability and Accountability Act.
Rather than duplicate this effort, they can up date the previous due diligence to reflect what is
happening in the company today and then determine where the potential is for identity theft.
Policies and procedures generally reflect what was found in the due diligence process. Small
organizations can take advantage of templates offered by the FTC, trade organizations, attorneys,
consultants, and a few highly touted “plug-and-play” programs. Many offer them at no cost, but
make sure when you obtain the templates that they can be adapted to reflect your company’s
information.
Educating employees seems to be the area where most companies experience difficulty. There
are only a limited number of organized educational programs available, such as through your
trade association. Costs vary according to membership. The most widely endorsed program is
available through PrePaid Legal and is part of an Affirmative Defense Response System, which
includes monitoring and restoration services.
Finally, maintaining vigilance once the organization completes the first three steps is crucial.
Make sure new employees are educated and a periodic due diligence for red flags is performed.
In addition, the regulation requires that you contact your business associates and vendors to
ensure that they are also complying with identity theft regulations.
Above all else, before we are people that either own or work for a company, we are a collective
of individuals with many roles living in a community. We owe it to ourselves, our children and
our community to perform this process. Complying with the FTC Red Flag Rule keeps
businesses and neighborhoods safe.
Ester Horowitz is a certified identity theft risk management specialist and certified business
counselor. She can be reached at (516) 318-8655 or via e-mail at [email protected].