New Identity Theft Prevention Requirements
Effective November 1, 2008, the Fair and Accurate Credit Transaction Red Flag Rules (“Rules”) take effect. While the Rules clearly apply to financial institutions and credit card issuers, upon closer examination it becomes clear that the Rules apply to many businesses. The Rules also apply to creditors. A creditor is defined as a business that extends credit to a consumer. Put simply, if your business provides a service prior to receiving payment, your business is considered a creditor under the Rules which means it is incumbent upon you to implement a written identity theft program or policy (“Program”) to protect consumer information from unauthorized disclosure.
Consumer information includes the names, addresses and phone numbers of the businesses customers, but also includes social security and credit card information.
Red Flag means “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”
Financial institutions and creditors are required to develop a Program that is designed to detect, mitigate and prevent identity theft in connection with a covered account. Covered account means “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account and any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.” The Program must include reasonable rules and policies to:
1) Identify Red Flags for covered accounts of the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
2) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
4) Ensure that the Program is (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor.[1]
Financial institutions and creditors are required to provide training to staff to ensure the Program is implemented effectively in order to safeguard consumer information.
The Program should also include a confidentiality provision putting employees on notice that any consumer information maintained on a covered account is to be maintained in strict confidence. Consumer information maintained in electronic databases should be password protected and only those employees who have a business need for accessing the information should be give access passwords. Information maintained in a paper format should be secured and only accessed by those employees who need the information to perform the duties of their respective jobs.
The Rules provides for civil penalties that range between $2,500 and $11,000 per violation. Note that ignorance of the law is not an excuse and will not be a defense for failure to comply with the Rules.
[1] Citation omitted.
A note to the reader: This article is intended to provide general information and is not intended to be a substitute for competent legal advice. This article has been reprinted with the permission of Lee Building Industry Association, www.bia.net. Questions regarding the content of this column or past columns may be e-mailed to Christina Harris Schwinn. To view past columns written by Ms. Schwinn please visit the firm’s website at www.paveselaw.com. Ms. Schwinn is an experienced employment lawyer and a partner with the Pavese Law Firm, 1833 Hendry Street, Fort Myers, FL 33901; Telephone: (239) 336-6228; Telecopier: (239) 332-2243.