by Matt Karlyn, Aaron Tantleff and Nick Dyer

Identity Theft: 7 Tips for Complying with FTC Red Flag Rules

Sep 24, 2009

The FTC's Red Flag Rules for reducing fraud due to identity theft take effect on November 1. Here's what you need to do to make sure you comply.

On November 1, many companies will be required to comply with new regulations issued by the Federal Trade Commission that are designed to reduce the risk of fraud through identity theft. The so-called Red Flag rules (formally known as Identity Theft Red Flags and Address Discrepancies) require companies subject to the legislation— essentially any company that issues invoices—to develop a written information security program to detect, prevent and mitigate identity theft in connection with certain types of accounts, including those which present a reasonably foreseeable risk to customers.

The rules are intended to ensure companies can identify and respond to the warning signs of potential identity theft. Companies that don’t comply and that suffer a data breach may face financial penalties (up to $3,500 per violation in federal court or $1,000 in state courts) as well as civil lawsuits from identity theft victims. To prepare, your company should dust off its information security policy and have it reviewed by qualified legal counsel to ensure it conforms with the FTC requirements. The following seven guidelines can assist your company with its compliance.

To read more on this topic see:Data Breach: Security Measures the Law Requires of IT and Protecting Your Identity In Your Job Search.

1. Perform a Risk Assessment

Your company should determine whether it has accounts covered by the rules (for example, some professionals, such as accountants, lawyers and healthcare providers are disputing whether they should be covered). Then determine whether your company has a written information security program in place that complies with the regulations or whether there are gaps in your company’s procedures for the identification, detection, response or mitigation of potential red flags—the warning signs that personal data is vulnerable to theft.

The information security program must incorporate reasonable policies and procedures given the size and complexity of your company to (a) define relevant red flags, (b) detect the red flags that you have identified, (c) respond appropriately to each detected red flag and mitigate any identity theft and (d) ensure these policies and procedures are reviewed regularly and updated to reflect evolving threats.

2. Define Relevant Red Flags

The FTC rules don’t provide a definitive list of red flags; your company will have to develop its own based on experience and on examples provided under the Fair and Accurate Credit Transactions Act (the law responsible for the creation of the red flag rules). Possible red flags include unusual patterns of activity or suspicious or incorrect information entered into a credit application.

3. Detect and Respond to Red Flags

Your company should develop procedures to detect the red flags during daily business operations. The information security program should have procedures to identify and alert someone to potentially suspicious activity in an account, as well as a set of formal polices that dictate how your company will respond. For example, if your company has identified that the Social Security number entered into a new account application is fraudulent, the information security program should define procedures for preventing anyone from opening a new account for that applicant. The program should also have procedures that include such steps as regular monitoring of all accounts, closing accounts with flagged activity and notifying, to the extent possible, the victims of suspected identity theft.

4. Know Who Is in Charge

Your company’s information security program should clearly state who is responsible for designing and implementing its compliance program. Include all appropriate personnel—for example, your company’s legal team can be as important as your IT staff. Define and explain each team member’s role and who they report to. If your company is developing a written information security program for the first time, the FTC requires that the program be approved by your company’s board of directors or an appropriate board committee. After the initial approval, the board may designate itself, a committee or senior management to oversee the implementation and administration of the information security program and approve all significant changes.

5. Train Employees

Having a written information security program does not ensure compliance unless your company’s employees are following its procedures. Develop appropriate training to implement the information security program and make every effort to help employees understand their roles and responsibilities. For example, they should know how to maintain and protect private information in their care, how to identify potential problems (which includes being familiar with the red flags and what they mean) and how to respond to problems they find. All training should be properly documented for compliance records.

6. Insist on Third Party Compliance

Customer or vendors with access to your company’s data should have a written information security program as robust as your company’s program and that complies with the FTC rules. Some states even demand it: Nevada now requires that all companies and any third party providing services to the company or its customers have an information security program that complies with the state’s information security program requirements. Similarly in Massachusetts, a company must take all reasonable steps to verify that its agent or third party service provider can protect personal information as required by state law and must ensure their security measures are at least as stringent as those required by state law.

7. Stay Up To Date

The rules require companies to review their information security program regularly and to ensure the list of red flags stays current with evolving methods of identity theft. Schedule a review of your company’s security program at least annually, assessing compliance and making modifications as necessary. Incorporate changes that reflect your company’s experiences, new technologies, new account types and new methods of detecting and identifying theft. Flexibility is essential for adapting to the rapidly changing world of identity theft.

These guidelines can assist your company in its efforts to comply with the Red Flag Rules. However, as a result of ever-changing data security regulations at both the state and federal level, it is always a good idea to seek competent legal counsel and continually monitor legal developments to ensure that your company remains compliant.

Matthew Karlyn is a senior counsel and Aaron Tantleff is an associate with Foley & Lardner’s Information Technology & Outsourcing Practice Group. Nick Dyer is an associate with Foley & Lardner in the firm’s Private Equity & Venture Capital Practice Group.