Data theft is the fastest-growing crime in the United States. Law enforcement has been struggling to catch thieves who use computers to commit fraud. In an equivalent of the "Whack a Mole" game, every time law enforcement gets the word out and plugs a software "hole," thieves pop up and commit crimes using a different software vulnerability. Coincidentally, the federal government has a huge debt and is looking to refill its coffers.
The new Federal Trade Commission "red flags rule," designed to fight data theft, applies to any business that receives payment for services after, rather than when, services are rendered, which includes most insurance agencies and brokerages.
The catch: The new rule allows a civil penalty of up to $3,500 per violation civil penalty. Each record breached may qualify as a violation, so if a crook steals a business laptop with 1,000 customer names with Social Security or bank account information, and the business is not in compliance with the FTC regulation, the civil penalty could be $3.5 million.
And there's a lot more at stake than fines, a possible injunction, or a potential civil class action suit for damages. There also is your agency's reputation and goodwill to think of.
What are the red flags?
The red flags rule states two basic ideas:
- Businesses should identify events that indicate that their customers' personal identifying information may be at risk of loss or theft
- Businesses should have contingency plans that they put into action when one of those indicators happens and there is reason to believe that a loss or theft might happen. Put simply, the red flags rule is a combination of Murphy's Law and the Scout's Motto: what can go wrong will and be prepared.
People who deal with data theft every day, including FBI agents, will tell you it isn't a question of whether a business or individual will be the victim of data theft--it is a question of when. Think about it: How many notices have you and your friends and family received in the last 3 years about either a data breach or issuing a new credit card number for no readily apparent reason?
The FTC scheduled Nov. 1 as the date when it would start enforcing the red flags rule, so if a business to which the rule applies failed to have a contingency plan in place after that date and sustained a loss of customer identifying data, there may not be hell to pay, but $3,500 per violation. This can add up pretty quickly when FTC counts the breach of each individual's data as one violation and you have 250 sales reps walking around with laptop computers that contain customers' identifying information, and no contingency plan in place.
Fortunately, Congress mandated a postponement of the enforcement date to June 1 a firm deadline that will not, under any circumstances, be further extended, even though there happens to be a midterm election next year. Remember, President Obama is under a lot of pressure and has put a lot of pressure on administrative agencies like the FTC to bring in money to reduce the federal budget deficit. Strictly enforcing red flags could become a cash cow. We must treat the June 1 deadline as both serious and immutable.
The basics
Mindful of the deadline, we turn to the most often-asked questions about the red flags rule:
Does the rule apply to me? The rule applies to "financial institutions" and to "creditors." Under the rule, a "creditor" includes "businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later." If you bill a customer rather than getting paid on the spot or before providing your services, you are a "creditor" under the rule. That covers a lot of businesses.
If the rule applies, what do I have to do? The FTC has provided an easy online PDF form to help "low-risk" businesses take the necessary steps at http://www.ftc.gov. This is essentially a blank piece of electronic paper, containing the following headings:
- The red flags we have identified
- How we'll detect the red flags we have identified
- How we'll respond to the red flags we have identified
- Our Program has been approved by ___ (board of directors, board committee, or senior manager)
- The person who will administer our Program is ___
- Categories of employees we'll train and how we'll provide training
- Service providers we'll contact about complying with the Red Flags Rule," and
- How we'll keep our Program current.
You're kidding, right? No, that is really what the form says. It does not say what a red flag is, what possible responses are, or who should do the training. It does convey the essential idea that "creditors" must identify red flag events, detect when they occur, have a response plan in place, get senior approval for the plan, conduct training and communicate with vendors, and regularly update the plan. That last sentence pretty well sums up the 59 densely worded pages of the Federal Register where the red flags rule lives, plus the simplified, 22 megabyte booklet (Fighting Fraud With The Red Flags Rule, A How-To Guide for Business). The good news is it's fairly easy to prepare your red flags plan, and by doing so you'll be able to say, "Here it is," when you are the victim of a data breach and the FBI asks you for your red flags document. Otherwise, the FBI agent likely will communicate with FTC and you will likely be in the penalty box.
The FTC provided a list of many red flag events in its original draft of the rule, but later clarified that "The list of Red Flags is illustrative only." Still, those illustrations provide some guidance as to the kinds of events that businesses should be on watch against:
o Alerts, notifications or warnings from a consumer reporting agency. One example: "A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report."
o Suspicious documents, such as when "The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification."
o Suspicious personal identifying information. One FTC illustration: "Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File."
o Unusual use of, or suspicious activity related to, the covered account. This could include, "The customer fails to make the first payment or makes an initial payment but no subsequent payments."
o Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. Here, the creditor "is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft." So, when the FBI calls, that is a red flag (this one is really simple).
If you have followed the 8-step path above, you will know how the privacy violation could have occurred, because you'll have identified the weaknesses in your security system. They could include an employee who took home a flash drive that contained hundreds of customer accounts, but lost it on the train ride back to work the next day. It could be something low-tech, like an insurance application being faxed from the applicant's office to yours, with the original being tossed in the waste can. By tying together the person whose information seems awry and the likely source of the data loss, you can identify others whose private information is also at risk, and leap ahead to your plan of action by notifying them, notifying the authorities, and notifying your E&O insurer.
The FTC has estimated that for most "creditors," creating a red flags program should require between 6 and 20 hours of work, with additional work for training and regular program updating. If all you need to do is document the steps you already have in place, that estimate is on target. If, however, this is the first time you are thinking about data breaches, it could take longer. The FTC is correct in saying that each business is unique. Even among insurance agencies and brokerages there are wide variations in procedures, technology, training and management styles. There is no "one size fits all" version of an agent's or broker's red flags program, but making the effort to develop a careful one may be a "stitch in time" that saves nine, as the saying goes--where an early investment of time in developing a good plan, perhaps with outside advice, can save a lot of headaches in the years that follow.
If we have seemed a bit jocular in this discussion, it is because we want today's lesson to be memorable. With a June deadline for compliance, it would be easy to forget about it. We urge against doing that. Identity theft is the fastest growing crime in the U.S., and businesses of all sizes need to protect themselves and their customers from becoming its next victims.
Even the best systems can't completely stop identity thieves. If they somehow procure your clients' private identifying data, you don't want to have to explain to those clients that you didn't have a legally required plan in place to help protect them, even though that plan could never have been made bulletproof. Handled well, communicating with your customers about a data breach and the steps you've taken to protect them can actually enhance customer loyalty. Handled poorly, it could be a career ender. You've probably read or heard news stories about big data breaches--did you want to do business with that company?
Red flags by the roadside mean "danger ahead, slow down." The danger is a new regulation coming June 1. Please slow down and start formulating your firm's red flags program, which could be as simple as scheduling January meeting or delegating the task today to someone you trust.
