The Laws & Your Liability
With the workplace being the site of more than half of all identity thefts,... executives must "stop thinking about data protection as solely an IT responsibility," more education is necessary.
- "ID Thefts Prevalent at work" Human Resource Executive, April 5, 2007
"The loss of sensitive data can have a crippling impact on an organization's bottom line."
- Forrester - Calulating the Cost of a Security Breach April 2007
"A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace."
- Douglas Hottle, Meyer, Unkovic & Scott,
"Workplace Identity Theft: Curb an HR Headache"
BLR: Business and Legal Reports,
Important Legislation
- FACTA & FACTA Red Flag Rules
- Fair Credit Reporting Act
- Gramm, Leach, Bliley Safeguard Rules
- Individual State Laws (Texas whistle blower)
Summary of Businesses Requirements
WileyRein.com - White Paper
By Kirk J. Nahra
Your Growing Exposure for Identity Theft Risks
"We will act against businesses that fail to protect their customer data."
- Betsy Broader, assistant director, FTC Division of Privacy and Identity Protection
| Fair and Accurate Credit Transactions Act (FACTA) This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.
|
| FACTA Identity Theft Red Flag Rules Red Flag Rules recently became effective January 2008, and compliance is required by November 2008. The Federal Trade Commission (FTC) and 5 federal agencies have strengthened the FACTA Law with some recorded Identity Theft Red Flag Rules. - On Page 10, the responsibility of having an Identity Theft Mitigation Program, Training, and an Information Security Officer in place falls on the Board of Directors - On Page 15, it further states that if a "Board of Directors" does not exist, Responsibility falls on "a designated employee at the level of Senior Management". - On Page 21, "Identity Theft" is defined as "a fraud Committed or Attempted using the personal identifying information (PII) of another person without authority." - On Page 22, it designates that the loss of "one single piece" of Personal Identifiable Information (PII) constitutes an "Identity Theft" and places the "at fault company" under penalty provisions of the FACT Act of 2005 (FACTA). http://www.FTC.gov/os/2007/10/r611019redflagsfrn.pdf TOP |
Fair Credit Reporting Act (FCRA)
If an employer obtains, requests, or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the employer is subject to FCRA Requirements.
http://FTC.gov/os/statutes/031224fcra.pdf
TOP
Gramm, Leach, Bliley Safeguard Rules (GLB) Eight Federal Agencies and any State can enforce this law. This law applies to organizations that maintains personal financial information regarding its clients or customers. Non-Public Information (NPI) lost under the wrong set of circumstances may result in: |
Privacy & Security Laws Summary
These laws require business to:
1. Appoint, in writing, an Information Security Officer.
2. Develop a written plan and policy to protect non-public information for employees and customers.
3. Hold mandatory training for all employees on the reality of Identity Theft
4. Implement an Identity Theft Mitigation Program
5. Oversee service provider arrangements
Liability Follows the Data
Entities can not escape their obligations to comply by outsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements.
Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft
CONTACT The Identity Theft Resource Group to speak to your organization,business, chamber, or non profit group about identity theft and how to better protect yourself.
