Friday, July 31, 2009 | 3 a.m.
Sun Archives
- In cases of ID theft, numbers do lie (3-6-2009)
- Own a business? Be vigilant, thieves are lurking (6-2-2008)
- Not what thieves thought (8-16-2007)
Sun Coverage
The federal government has once again delayed the enforcement of its red flag rules to cut down on identity theft stemming from electronic transactions.
Enforcement of the rules has been pushed back three months to Nov. 1. It was expected to begin Aug. 1.
The rules apply to any business that extends credit to its customers, such as banks, credit card companies, mortgage lenders and retail stores. The rules don’t apply to businesses that simply accept credit cards, such as restaurants and grocery stores.
The government describes red flags as “potential patterns, practices or specific activities indicating the possibility of identity theft.”
Businesses are urged to consider relevant risk factors, the sources of possible red flags and the categories of common red flags.
Red flags vary from business to business, and different accounts pose different risks.
The Federal Trade Commission enacted the regulation in January 2008 but has yet to start enforcing it.
Identity theft is a means for a thief to make money quickly, said Christopher Mathews, a lawyer with Lionel Sawyer & Collins.
“From a criminal’s point of view, it’s low-risk and high-reward,” he said. “It’s a great venue for a determined criminal to make a lot of money. That’s why the FTC is so concerned about it.”
Those companies will have to come up with an internal policy — a written identity theft prevention program — that detects identity theft, Mathews said.
Those policies also need to address how the company will address a red flag situation and what to do to mitigate identity theft.
The policy needs to be updated and reviewed at least annually, more frequently if weaknesses in the system have been identified, he said.
The policies are not the job of a company’s information technology department but that of senior management or the board of directors, Mathews said.
“This is no longer an IT problem, this is a boardroom problem,” he said.
Staff need to be trained and there needs to be oversight of employees who have access to the credit files. The agency has, in the past, heavily fined companied that didn’t comply with their internal policies, he said.
A case in point: In 2006 the agency fined ChoicePoint, a data warehouser based in Alpharetta, Ga., $15 million for failing to protect consumers’ personal information.
“The FTC is pretty serious about this,” Mathews said. “They mean for it to be complied with.”
Moreover, the agency will check to make sure companies’ internal red flag policies are being followed, and if they aren’t, it could mean costly fines and audits for a noncompliant company, he said.
The rule is enforced by the Federal Trade Commission, the federal bank regulatory agencies and the National Credit Union Administration.
The four basic elements:
• Reasonable policies and procedures to identify red flags run across in the daily operation of the business;
• The program must be designed to detect the red flags identified;
• The program must spell out appropriate actions to take when red flags are detected;
• The policy must address how the program will periodically be reevaluated to reflect new risks from identity thieves.
Join the Discussion:
Check this out for a full explanation of our conversion to the LiveFyre commenting system and instructions on how to sign up for an account.
Full comments policy