The Federal Trade Commission announced today that it would once again extend its compliance date of enforcement of the Red Flags Rule. The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs - or "red flags" - of identity theft in their day-to-day operations.
By moving the date from August 1st to November 1st, the FTC hopes it will provide additional time for small businesses and those unfamiliar with the Rule to better prepare.
This latest delay in enforcement of the Red Flags Rule, does not impact the financial industry who were required to be in compliance by last year on November 1, 2008.
Find answers to FAQ regarding the Red Flags Rule here.
The FTC press release can be found here.
NEWSLETTER SIGN UP
SUBSCRIBE
CONTACT
Denise,
Good info on Identity Theft. I have one question for you since the FTC is unable to provide a direct answer with respect to the new Red Flags Rule. Of the 256 pages of the law, no where does it clarify the term 'mitigation'. The law explains both the detection and prevention part, but falls short with mitigation. Can you help me to understand the following:
A victim of ID Theft is born and later found that the breach took place at a car dealership. What is your understanding of the law as it pertains to the dealer's responsibility?
Thank you.
Mike -that is a great question and appears to be open to interpretation. Having reasonable procedures that include identifying red flags can not as we all know guarantee an id theft will not occur.
The link to FAQs on FTC site notes that "the Rule seeks to reduce the damage crooks can inflict both on victims of identity theft and on businesses..." and interestingly it further notes that it is the FTC who will assess compliance based on the reasonableness of a company's policies and procedures. See this:
Does the Rule require that I have specific practices or procedures in my Program – like identifying a particular red flag or reporting suspected identity theft?
The Rule doesn’t require any specific practice or procedures. It gives you the flexibility to tailor your Program to the nature of your business and the risks it faces. The FTC will assess compliance based on the reasonableness of a company’s policies and procedures. Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined Program – for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.
You can submmit your question directly to the FTC at http://ftc.gov/ftc/contact.shtm
Hope this helps