What do you need to do to protect against identity theft liability?
THE INTERNET—It’s been on hold for a while, but come June 1, enforcement of the Red Flags Rule will be in full force. Understanding of who’s affected and how to comply has proved confusing to many. And noncompliance with these Federal Trade Commission guidelines could cost your company a lot of money.
The Central Station Alarm Association on March 30 conducted a webinar to educate security business owners about their responsibilities concerning the FTC’s Red Flags Rule, which requires certain businesses protect themselves and their coustomers from identity theft. “On Nov. 1, 2008, the Federal Trade Commission established rules requiring any entity that regularly extends, renews or continues credit, such as alarm companies, to develop and implement written identity theft prevention programs,” read CSAA’s March 9 edition of Signals. “While enforcement of the rules has been delayed several times, the new date for enforcement is June 1, 2010. The enforcement delay may not relieve a business from financial liability to a customer whose identity is stolen and the business did not have a Red Flags program in place.”
CSAA VP of marketing and programs Celia Besore moderated the webinar, which was led by speaker Mary Sisak, a partner at Blooston, Mordkofsky, Dickens, Duffy & Prendergast. Sisak established that based on poll results all attendees who voted were subject to the Red Flags Rule. “This has always been a little bit fuzzy … A lot of people don’t’ think it applies to them, but it’s not just banks,” Besore said. “It’s anyone who lends money—which is what you do when you extend credit. People probably aren’t paying for all their equipment from Honeywell upfront in cash.”
Sisak agreed. “My goal is to help you understand the rules and to help you determine what your company must do to comply,” Sisak said. “To determine the appropriate response, the first thing that you need to keep in mind is what the purpose of the Red Flags Rule is. It imposes duties on financial institutions and creditors regarding the detection of, protection from, and mitigation of identity theft.”
Sisak then conducted her first poll, which asked attendees what kinds of identifying data they were collecting from their customers, such as birthdays, social security numbers, or driver’s license numbers. Identity theft, Sisak said, is simply “using identifying information of another person to commit fraud. So the fact that you collect these identifying pieces of information means that you have the possibility of being the victim of, or facilitating your customers being the victim of identity theft.”
The Red Flags Rule affects companies that are considered “creditors,” which the FTC defines as “any person who regularly extends, renews or continues credit, any person who arranges for the extension credit, or any person who participates in the decision to extend, renew or continue credit,” Sisak said.
A company that allows its customers to access or make changes to their account remotely, a popular feature of many modern security solutions, also makes a company subject to the Red Flags Rules.
The potential loss to a company found to be involved in a case of identity theft while in noncompliance with the Red Flags Rule is great. They face an FTC fine of $10,000 for each violation or $2,500 per violation in the event of a pattern or practice of violations. Further, states have the right to bring suits on behalf of residents with the penalty for each individual violation capped at $1,000. “There’s no safe harbor in these rules, no procedures you can follow that will excuse you from paying penalties,” Sisak said. “You need to have a policy in place that the FTC will deem sufficient to deal with these issues of identity theft.”
The FTC maintains a Red Flags Rule guidelines site at www.ftc.gov/redflagsrule.