Advertisement
Opinions from the commercial side
November deadline set for FACTA identity theft rule:Jim DeGeronimo Sr.identity theft, FTC, FACTA, information security planning
Identity theft has become the number one crime in America! It is
growing so quickly, primarily due to data breaches. The Federal
Trade Commission (FTC) has determined that most of the information
stolen is taken from the workplace. In an effort to stop or at
least curtail these mounting occurrences, old laws have been
revised and new ones created. They compel businesses who handle
non-public information to be much more responsible. The new
identity theft red flag rule puts the mortgage industry directly in
the line of fire! No less than seven federal government agencies
collaborated to draft and pass this new legislation.
Think about it: How many customer records do you have in your
office? Hundreds? Thousands? Think about every file cabinet,
storage box, laptop or hard drive in your office. If you lost even
a fraction of those records, would you have $1,000 per record
on-hand to pay in fines? The numbers are terrifying, and the fines
are real. Saturday, Nov. 1, 2008 is the compliance deadline for
this Fair and Accurate Credit Transaction Act (FACTA) red flag
rule. The red flag rule targets all businesses with credit-based
customer relationships, and specifically calls out the mortgage
industry. If this is the first time youve heard of the red flag
rule, time is short to become compliant.
"The red flag rule is an indicator of a larger trend that we've
seen in both legislation and in court decisions," said Bryan
Thornton, the director of information security planning for
idBusiness. "Businesses and business owners are being held to a
higher standard. They are entrusted with safeguarding customer
data, and if they are negligent in that regard, they will face some
pretty serious consequences."
There are seven main stipulations of the red flag rule that your
plan must meet to be considered compliant:
1. You must have a formal, written identity theft
prevention program
Putting your plan in writing shows that your organization has
undertaken a formal process to address information security, and
that you have done more than just think about the problem.
2. Controls must mitigate and prevent the risks
associated with identity theft
What does this mean? Basically, in order to address the entire
organization and all of its vulnerabilities, your plan must be
cross-disciplinary. It cannot just be the information technology
department's problem to solve, but must include operational and
administrative controls as well.
3. The plan must be administered by a board of directors
or by senior management
The key success factor in any information security program is
senior management's involvement. Senior management is, ultimately,
legally and financially responsible in the event of a data
breach.
4. A compliance report must be generated on at least an
annual basis
This stipulation encourages accountabilityit makes sure that a
final policy does more than sit on a shelf. Fortunately, the law
does allow an organization to seek external advice for the best way
to maintain an ongoing program.
5. The plan must be updated periodically
Criminals evolve in their tactics, and your organization must
evolve as well. As new threats emerge and new means to protect your
company become available, it makes sense to revisit your policy and
update it to reflect the changing times. The technical nature of
many information crimes means that the people who perpetrate these
crimes are smart, savvy and ahead of the curve when it comes to
finding new ways to hack a system. Its up to you to try and stay
ahead of those criminals. Training your employees about the
acceptable use of your network and information resources is vital
to maintaining a secure environment. Its good practice that pays
off in the long run.
6. The plan must include an incident response
capability, should you experience an internal breach of
information
The difference between the best programs and the rest of the
programs is that the best expect incidents to occur and are
prepared to respond. Being prepared reduces response time,
financial losses, and damages to brand integrity and your
reputation. Incidents happen! 7. The plan must also account
for the risks associated with vendors, suppliers and third
parties
Many data breaches have been the result of poor third-party
controls. Ultimately, under this law, you will be held responsible
for your vendors, and as such, your vendors must also be held
accountable for the information you give them.
The red flag rule became law on Jan. 1, 2008. FACTA extended a
grace period to businesses, giving them a deadline of Saturday,
Nov. 1, 2008 to become compliant. If your business does not have a
red flag-compliant information security program in effect before
Saturday, Nov. 1, you will be in violation of FACTA.
Jim DeGeronimo Sr. is president of Majestic Security LLC. He
may be reached at (888) 331-2332 or e-mail [email protected].
About the author