By Christopher Mathews, Lionel Sawyer & Collins
Identity theft continues to plague the nation, with businesses and individuals reporting nationwide losses running into the hundreds of millions of dollars each year. In 2003, Congress passed legislation requiring federal agencies to implement new regulations to detect and fight identity theft. In 2007, the Federal Trade Commission (FTC) developed the "Red Flags Rule," requiring businesses and organizations to develop and implement programs aimed at halting such theft. Failure to comply before the rule's November 1, 2009 implementation date may result in the imposition of stiff civil penalties and intrusive audit and compliance measures.
The Red Flags Rule applies to financial institutions or any business that regularly permits deferment of payment or provides goods or services and bills customers later, if there is a "reasonably foreseeable risk" of identity theft. Businesses covered by the Red Flags Rule must develop, implement, and administer a written identity theft prevention program that must be approved at the highest level of the company. The program must include policies and procedures to identify "red flags" of identity theft, a method to detect such red flags, procedures in the event red flags are detected, and a method to re-evaluate the program as risks of the crime change.
"Red flags," according to the FTC, are potential patterns, practices, or specific activities indicating the possibility of identity theft. When a red flag is detected, a company might notify the customer, close or refuse to open an account, change a password, or notify law enforcement. There is no one-size-fits-all approach: the response must be appropriate to the degree of risk posed. Businesses must tailor their programs to the size of their business and the risk of identity theft likely in their operations, and ensure their employees are trained in the program and actually put it into practice. A business must update its program as risks change or when the business undergoes a change such as restructuring, merger, or acquisition.
The Red Flags Rule represents a fundamental shift in the prevention of identify theft, from passive data protection and encryption to a more proactive approach. These regulations affect any business that provides goods or services without requiring payment in advance or when the goods or services are provided. FTC enforcement actions in the realm of identity theft have in the past included both a review of the company's policies and the company's actual implementation of those policies. A weak policy, or a strong policy that is insufficiently implemented, can spell trouble for the company under review, including hefty civil penalties or injunctions. Past FTC actions in identity theft-related cases have imposed fines in the millions of dollars and required the violator to submit to - and pay for - third-party audits and monitoring for up to 20 years.
Businesses must ensure they are familiar with the Red Flags Rule and in compliance when it goes into effect on November 1, 2009. The rule may affect many aspects of your business, including internal policies and information-sharing arrangements. Visit www.ftc.gov and search red flags.
Contact Christopher Mathews at Lionel Sawyer and Collins for more information.
