Clear Insights - Security News You Can Use

Here a Flag, There a Flag, Every Where a Red Flag
In case you missed it the Federal Trade Commission (FTC) has extended the mandatory compliance date for the "Red Flags Rule" until May 1, 2009. The Red Flags Rule requires financial institutions and any creditor to be responsible for developing, and implementing, an Identity Theft Prevention Program. Per the FTC site, this program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. It must enable a financial institution or creditor to:
  1. Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;
  2. Detect red flags that have been incorporated into the Program;
  3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.
When I first heard about the Red Flags Rule back in early 2008 I assumed that this was just another compliance regulation the financial institutions had to implement, and include in their regular audit processes. Although that is true, I did not at the time realize how broad of a definition the FTC uses for a "creditor". As it turns out the definition of a "creditor" is taken from the Equal Credit Opportunity Act stating "any person who regularly extends, renews, or continues credit...Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors."
Now the typical "covered accounts" that this rule applies to are financial accounts (credit card, checking, savings), loans (mortgages, auto loans), but service accounts are also included (utility and cell phone). According to Tiffany George, attorney in FTC's Division of Privacy and Identity Protection, any interaction where a consumer is not paying up front would make the business a creditor.
The original deadline of Nov 2008 was extended because so many organizations did not consider themselves creditors. Failure to comply to this regulation could result in anything from fines ($2500 per violation), individual/class action lawsuits, as well as federal and state prosecutions if any personally identifiable information (PII) from the creditor is compromised. With the new deadline quickly approaching, it probably warrants everyone to consider if they too could be deemed a "creditor" and act appropriately.