On May 1st the FACTA Red Flag Rule goes into effect. If you’re the average small business owner you haven’t even heard about the Red Flag Rule. You might also think it only applies to financial institutions. However, these new regulations affect almost every business. The rules can be onerous to comply with and come with sharp teeth. Not a good combination for small businesses struggling just to stay afloat.
So what is the Red Flag Rule? In short it requires businesses to develop and implement a program that will identify potential identity theft through suspicious activities. These patterns of suspicious activities are called “red flags.” Every business must create a compliance program to identify and respond to red flags. Once developed, employees must be trained on the program.
The Red Flag Rule will be enforced by the Federal Trade Commission (FTC). However, as with other recent privacy legislation, there are allowances for individuals to seek damages under the law. In other words, trial lawyers will be salivating to put together class action lawsuits against businesses. After August 1st 2009, if an employee fails to recognize identity theft red flags and report them, the penalty could be a financially crippling lawsuit.
The rule applies any business that offers or connects customers to credit. Almost every business qualifies including:
Medical Practices – Because payment is made via an insurance company the FTC has ruled that medical offices must comply. The AMA has been unsuccessful in getting relief from the rule since offices are already covered by HIPAA.
Retail Stores – The only exception is if a store deals exclusively in credit cards and cash. If a store allows purchases via credit, internal or external, they must comply.
Services – Phone companies, cell phones, power companies or anyone else that extends credit.
Car Dealerships – This includes boat sales, RVs, motorcycles and power sports.
Banks and Financial institutions – Everything from the local bank to credit cards to mortgage brokers.
Schools – Any high school, college or university who provides or accepts financial aid.
There are numerous methods to get in compliance. At the high end is bringing in a law firm to go over all of your business practices and design a custom program. This is very expensive but is the most thorough and you are all but certain of compliance. At the bottom end is an off the shelf solution. They are not very expensive but may require a great deal of customization and has no assurance your business will be in compliance.
Any solution you choose needs to have some basic components. The FTC mandates these four parts:
- Identity relevant red flags. – Identify the warning signs of identity theft that are specific to your business. Some common ones are suspicious documents, changes of address, warnings from credit agencies, and notices from victims or law enforcement.
- Detect red flags. – Put in procedures that will detect the red flags in the day-to-day business.
- Prevent and mitigate identity theft. – Put in reasonable responses when red flags are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.
- Update your program periodically. – Every program should be evaluated and updated for business practice changes and identity theft trends.
Once you have created a compliance program you will need to educate your employees. This means more than just handing out a document but working with them to protect all the private information in your care. All training should be documented for compliance records.
This is also a great time to go over the basics of information security.