The FTC announced over the weekend that, at the request of members of Congress, the compliance date for the Red Flags Rule is now delayed to June 1, 2010. This gives companies additional time to prepare their required Red Flags Rule Plans. The FTC has said it will continue to provide guidance on the development and implementation of these Plans, especially for companies who want to voluntarily adopt identity theft protection measures for the benefit of their customers and business reputation (Click here for the FTC’s Red Flags Rule website). This delay does not affect any other agency oversight or other federal regulations relating to data security and identity theft.
On a related note, a federal court (District of Columbia) issued the first ruling regarding the application of the Red Flags Rule on October 30, 2009. That decision held that the FTC may not apply the Red Flags Rule to attorneys. This case (and any appeals) are independent of the June 1, 2010 delay, but companies should keep an ear out for other decisions that may directly affect their industry.
Barring some last minute legislative/regulatory activity, the FTC will expect companies to be red flags rule compliant as of November 1, 2009. Companies should recognize that there is not a ”one size” approach to addressing identity theft risks in making a Red Flags Rule Plan. Instead, the FTC expects each company’s plan to be tailored to its own needs and circumstances. Click here for help on steps your company can take.
As new capabilities evolve through technology, so do new opportunities for hackers and thieves to compromise a customer’s data. These technologies stand as a major threat to a bank’s customers. In addition to general concerns of reputation and customer loyalty, banks should not forget they have certain expectations of helping keep customers informed about threats to online security and protective steps that can be taken.
Evolving Threats
One malware program that chillingly shows how far these programs have come (and is recently getting significant press for this) involves literally stealing money from a customer’s account under his or her nose. Once downloaded, the program first takes the customer’s login information for internet banking. After stealing the customer’s password, this program begins transferring money from the account to the thief’s account – a scheme which has been done before. The catch is the program also intercepts the code coming from the bank and manipulates it. That means, when the customer refreshes or relaunches his or her account page, the numbers remain the same. So, to the customer, his or her account looks untouched. All the while, until the customer logs on to an uninfected machine or realizes something is fishy (be it because none of his or her recent transactions start appearing or his or her debit card starts getting declined), the cyberthief can escape and cover his or her tracks. Just like crime in the real world, the longer the thief has to flee, the tougher he or she is to catch. Therefore, given the nature of this program, prevention is the only effective solution.
(more…)
The FTC has delayed the compliance date for the Red Flag Rules, the federal bank regulatory agencies and the National Credit Union Administration, to November 1, 2009 to give companies greater time to prepare their systems and protocols. The Rules have not changed. Companies should still take proper steps to ensure compliance by the November deadline. Click here for help on steps your company can take.
Although the FTC intends to publish sample Plans for “low-risk” and “high-risk” companies (terms that are still somewhat hazy at this point), it has not done so as of yet (although it has published a helpful FAQs website). Therefore, many companies are seeking outside business and legal counsel to better understand the Red Flag Rules and to ensure their plan addresses the requirements of these new regulations.
Missouri recently enacted a law which made it the 45th state to adopt data breach notification regulations. The law goes into effect August 28, 2009. Similar to other states’ laws, Missouri’s law applies to any persons and companies who have personal information of a Missouri resident, regardless of size, nature of business or other factors.
What Type of Information is Covered? Missouri’s law defines “personal information” expansively to include:
-
social security numbers;
-
driver’s license numbers or similar unique identification numbers created by a government body;
-
financial account numbers (with a required security code, access code or password which would permit access to the account);
-
credit card or debit card numbers (with a required security code, access code or password which would permit access to the account);
-
unique electronic identifiers or routing codes (with a required security code, access code or password which would permit access to the account);
-
medical information; and
-
health insurance information.
What You Must Do After a Breach. If a breach occurs, you must provide notice to the Missouri resident that a breach has occurred without any unreasonable delay. That notice must include, at minimum:
-
a description of the incident in general terms;
-
the type of information that was obtained in the breach;
-
a contact number for the person or company for further assistance; and
-
contact information for consumer reporting agencies.
(more…)
Although some questioned if the day would arrive, the Red Flag Rules issued by the FTC, the federal bank regulatory agencies and the National Credit Union Administration go into effect August 1, 2009. The Rules are drafted broadly and will apply to many different companies, including “financial institutions and creditors with covered accounts.” Essentially, if you offer any form of loan or maintain any form of money account, you will have to comply the Red Flag Rules.
Preparing for August 1
The biggest step you should take is to prepare a Red Flag Plan. Although the Rules stress that each program should be tailored to the individual entity, some central elements should be present:
- IDENTIFICATION – Make sure your plan identifies what constitutes a “red flag” (i.e. what could reasonably indicate identify theft).
- DETECTION – Make sure you have a written procedure for how you will detect, understand and process any red flags.
- RESPONSE – Make sure you adequately define how you will respond, making sure that you include enough flexibility to respond adequately to different levels of threat.
- MAINTENANCE – Make sure you have a set process for reviewing, updating and revising your Red Flag Plan.
- OVERSIGHT – Make sure the plan is properly approved by the Board of Directors, Managers or similar management positions, and include explicit designations of power as to who in management (either the Board or a senior officer) will oversee the Plan and its execution.
(more…)
