Pay attention to this. If you take credit cards or have any other financial information on your customers, you could have a penalty of $2500 per transaction, effective 8/1/09.
On August 1, 2009, new federal regulations enforced by the FTC come into effect – the so-called Red Flags Rule – that require businesses to take pro-active measures to detect and prevent identity theft involving client data. Financial institutions, which are not regulated by the FTC, have been subject to enforcement of the Rule since November 1, 2008. The consequences of non-compliance are significant. The penalties are up to $2,500 per violation. And each customer account would be considered a separate violation, if you get this wrong.
Who does this apply to?
As written, the rule applies to “financial institutions” and “creditors” with “covered accounts.” A covered account is so broadly defined that just about any business that tracks transactions with customer-identifying information can be said to create “covered accounts.” That means if you have social security numbers, credit card information and even, some fear, name and addresses.
But it gets worse. Here’s how the FTS defines a creditor:
In statements to clarify the meaning of the rules, the FTC noted that “any person that provides a product or service for which the consumer pays after delivery is a creditor.”
This extremely broad definition of “creditor” could apply to virtually any business that allows customers to defer payment and pay on credit. Or simply pay after delivery. In other words, fix someone’s car and then tell them how much they owe you – you are now a creditor.
What are the Red Flags?
Applicable sections of The Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the Red Flags Rule, define a red flag as a pattern, practice or specific activity that indicates the possible existence of identity theft. The regulations provide guidance by listing five specific categories of red flags:
- Alerts, notifications or other warnings received from consumer reporting agencies or service providers such as fraud detection services.
- The presentation of suspicious documents.
- The presentation of suspicious personal identifying information, such as a suspicious address change.
- The unusual use of, or other suspicious activity related to, a covered account.
- Notice from customers, victims of identify theft or law enforcement authorities.
What Do You Need To Do?
If your business qualifies as a “creditor” with ”covered accounts” under the Red Flags Rule, you are required to implement a four-pronged identity theft prevention program for covered accounts.
Identify. You must identify and incorporate into your identify theft program any relevant patterns, practices, and activities that are “red flags” that could signal possible identity theft.
Detect. You must develop policies and procedures to detect red flags.
Respond. You must respond to any red flags that are detected in order to prevent and mitigate identity theft. If red flags are detected, the guidelines recommend monitoring accounts for evidence of identity theft, contacting the customer, calling law enforcement, and changing any security device that permits account access.
Update. You must update your ID theft program periodically to handle any changes in risks to customers from identity theft, or even risks to the soundness of the covered entity itself.
The Red Flags Rule is one more sign privacy law is changing rapidly. The trend is clearly toward laws that require pro-active safeguards and that are broadly applicable to all industries.