Compliance With the Red Flags Rules

Similar documents
Identity Theft Prevention Program

TITLE II ADMINISTRATIVE REGULATIONS IDENTITY THEFT PREVENTION PROGRAM

IDENTITY THEFT DETECTION POLICY

Attachment to Identity Theft Prevention Service Provider Attestation

NEW FTC RED FLAG REQUIREMENTS AS APPLICABLE TO CREDITORS AND COVERED ACCOUNTS

CITY OF ISSAQUAH. Identity Theft Prevention Program

Identity Theft Prevention: The FTC s Red Flags Rules and Health Care Providers HCCA Physician Practice Compliance Conference October 13, 2009

Chapter 3. Identifying Red Flags. 3:1 Overview

IDENTITY THEFT RED FLAG POLICY/GUIDELINES JULY 2008

Polson/ Ronan Ambulance Service Identity Theft Prevention Program

Identity Theft Prevention Program Lake Forest College Revision 1.0

EXHIBIT A IDENTITY THEFT PREVENTION PROGRAM

Minnesota State Colleges and Universities Identity Theft Prevention Program

Identity Theft Prevention Program

16 CFR Duties regarding the detection, prevention, and mitigation of identity theft.

Fitchburg State College Identity Theft Prevention Program updated 11/17/09

Identity Theft Prevention Program Procedure

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

POLICY: Identity Theft Red Flag Prevention

Washington Association of Sewer and Water Districts (WASWD) IDENTITY THEFT PREVENTION PROGRAM

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

Investor Relations Issues

AIMS COMMUNITY COLLEGE PROCEDURE IDENTITY THEFT PREVENTION - RED FLAG PROCEDURE

UNIVERSITY OF DENVER POLICY MANUAL IDENTITY THEFT PREVENTION

RED FLAG LAW made EASY! HIPAA made EASY. Training, Implementation & Sign-off Sheets

30.17 Identity Theft Protection Policy October 2018

Middlebury Institute of International Studies Identity Theft Prevention Program

Illinois Eastern Community Colleges. Frontier Community College Lincoln Trail College Olney Central College Wabash Valley College

(2) Detect red flags that have been incorporated into the program;

Middlebury College Identity Theft Prevention Program

Identity Theft Prevention Program

SCOPE AND APPLICABILITY: This policy is applicable to all University faculty and staff.

The Federal Identity Theft Red Flag Rules and North Carolina Local Health Departments

Policy Statement. Definitions -Covered Account -Identifying Information -Identity Theft -Red Flag

Audit Committee Issues

University Identity Theft and Detection Program

Identity Theft Prevention. Red Flags. Training Program

WASHTENAW COMMUNITY COLLEGE IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION PROGRAM

The Interagency Guidelines on Identity Theft Detection, Prevention and. Mitigation, commonly referred to as the Red Flag Rules, require each financial

LexisNexis Developing an Effective Red Flags Rule Program

Identity Theft Prevention Program (DRAFT)

Identity Theft Prevention Program. Approved by the Board of Trustees on February 20, 2009

Eastpointe Community Credit Union Identity Theft and Deterrence Policy

POLICY SUMMARY FORM. Unit(s) Responsible for Policy Implementation: Vice President for Finance and Administration

DAWSON PUBLIC POWER DISTRICT 300 South Washington Street P. O. Box Lexington, Nebraska Tel. No.- 308/324/2386 Fax No.

Driven. FTC Red Flags and Address Discrepancy Rules: Protecting Against Identity Theft L50 L50

Operating Procedures/Guide

California State University Bakersfield Identity Theft Prevention ( Red Flag ) Implementation Plan

Number: Identity Theft Program Procedures and Protocol Responsible Office: Business and Finance

University of Cincinnati FACTA Red Flag Identity Theft Prevention Program

Red Flag! Now What? An SME s Guide for FACTA Red Flag Compliance. see} white paper

Privacy and Data Breach Protection Modular application form

WEST VIRGINIA UNIVERSITY BOARD OF GOVERNORS POLICY 54. Rule on Identity Theft Detection and Prevention Program

CoreLogic Credco First American Way Poway, CA (800)

THE COOPER UNION FOR THE ADVANCEMENT OF SCIENCE AND ART. February 24, 2010

Olivet Nazarene University Identity Theft Prevention Program

To print a copy of this presentation: Click on the printer icon in the lower right hand corner. Convert the presentation to PDF and print as usual.

University of Connecticut IDENTITY THEFT PREVENTION PROGRAM

SUMMARY: The Federal Trade Commission ( FTC or Commission ) requests public

Cyber, Data Risk and Media Insurance Application form

RED FLAG RULES ANNUAL REPORT TO MAYOR AND COUNCIL

ELECTRONIC SIGNATURE REQUIREMENTS FOR LENDERS

A Step By Step Guide To Dealership Compliance Team One research and Training /Summit Group

Christopher Newport University. Policy: Red Flag Identity Theft Identification and Prevention Program Policy Number: 3030

FOX VALLEY ORTHOPEDICS. Identity Compliance Program

Red Flags Rule Identity Theft Training Program

The National Association of Community Health Centers, Inc. Issue Brief on. Complying with the FTC s Red Flag Rules. February, 2009

Jack Byrne Ford & Mercury Identity Theft Program (ITPP)

Indemnification: Trends and Hot Topics

CLIENT UPDATE SEC AND CFTC ISSUE FINAL RULES ON IDENTITY THEFT PROTECTION

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor


Foley & Lardner LLP. May 13, :00 p.m. 2:00 p.m. EST

AUDIT AND FINANCE COMMITTEE Wednesday, June 17, 2009

Identity Theft Prevention Program

Financial Transaction

Cyber Risk Proposal Form

AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

NAU Police Department s Identity Theft Victim s Packet

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Riverside Community College District Policy No Student Services PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

ADMINISTRATIVE PROCEDURE 5800 DESERT COMMUNITY COLLEGE DISTRICT

Prevention of Identity Theft in Student Financial Transactions

Clarion University Identity Theft Prevention Program

Identity Theft Victim s Packet

Identity Theft Victim s Packet

Palomar Community College District Procedure AP 5900 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

The New England College of Optometry Identity Theft Prevention Program October 30, 2009 _

REF STANDARD PROVISIONS

ORGANIZATIONAL MANUAL

Five Key Steps to Developing an nformation Security Program

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

UM Identity Theft Protection Policy

Conducting KYC of Third Parties: Best Practices for Conducting Due Diligence

U.S. Private-sector Privacy Certification

Note: Action items are italicized

Chapter Five: Student Services and Operations AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Identity Theft Prevention Program Red Flag Rule

Transcription:

For Audio Participation, Please Call 1.866.281.4322, *1382742* Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Compliance With the Red Flags Rules 12 p.m. 1:30 p.m. Central August 27, 2009 Dan Bachrach Andrew Serwin Douglas Kelly Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 1

Housekeeping Issues Call 866.493.2825 for technology assistance Dial *0 (star/zero) for audio assistance Ample time for Q & A will be allotted at the end of the formal presentation Pull Down Menu We encourage you to Maximize the PowerPoint to Full Screen Usage: Hit F5 on your keyboard; or Select View from the toolbar menu and click Full Screen To print a copy of this presentation: Click on the printer icon in the lower right hand corner Convert the presentation to PDF and print as usual 3 Today s Presenters Andrew Serwin Foley & Lardner LLP Douglas Kelly Marriott International, Inc. 4 Dan Bachrach Foley & Lardner LLP 2

Privacy 5 General Principles: Notice Choice Onward Transfer Access Security Data Integrity Enforcement Privacy 6 Ultimately Four Issues: What information do you collect? What do you do with the information? When can t you disclose it? When must you disclose it? 3

Federal Privacy Statutes 7 Children s Online Privacy Protection Act Gramm-Leach-Bliley FCRA/FACTA Right to Financial Privacy Act Electronic Communications Privacy Act Health Insurance Portability and Accountability Act CAN-SPAM and telephone marketing restrictions Common Areas of State Regulation 8 Identity Theft Laws Restrictions on Use of Social Security Numbers Spam Internet Privacy Telephone/Fax Marketing Laws State Wiretapping Laws Computer Crime Laws Notice of Security Breach Laws Medical Privacy Financial Privacy 4

What Type of Data Presents Privacy and Security Issues? 9 Confidential Information Intellectual Property Personally Identifiable Information Health Financial Other data that reveals sensitive information about individuals by itself or if combined with other information Trends in Privacy 10 Increasing technology is driving more information sharing, as well as greater restrictions. Free services on the Internet are built upon information sharing and therefore government regulation has been more limited. Health information is receiving more regulatory attention. Government spending will drive EHR and privacy requirements. Greater protections for information that can be used to commit identity theft. 5

Why are we here? 11 The FTC continues to be concerned about identity theft, including medical identity theft. Notable Examples: ChoicePoint 12 February 2005 allegation: Identity thieves posed as legitimate customers to access company s extensive consumer profile database FTC reportedly investigated company s compliance with federal law SEC reportedly investigated insider trading and adequacy of disclosures Secret Service, FBI and U.S. Postal Service involved Six class-action lawsuits filed in CA and GA 6

Notable Examples: DSW Shoe Warehouse 13 March 2005 Allegation: Data from 1.4 million credit cards used in 108 stores was reportedly stolen between November 2004 and February 2005 Federal authorities, including Secret Service, investigated DSW established special help line for its customers Parent company disclosed the matter in a 10-K/A and 8- K filed in April 2005 Disclosures occurred in the midst of parent s planning for the IPO of DSW Head of FTC, Deborah Platt Majoras, was among affected DSW customers Notable Examples: Heartland 14 Late 2008: 100 million card transactions/month for 175,000 merchants Attack occurred while PCI review under way Heartland uncovered malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder s name. 7

Scope of Coverage of the Rule 15 Financial Institutions and Creditors that offer or maintain covered accounts. The key concepts for the scope of coverage are what is a: Financial Institution; Creditor; and Covered account. Other Key Concepts 16 The definition of identity theft is also important: The term "identity theft" means a fraud committed or attempted using the identifying information of another person without authority. 8

Other Key Concepts 17 The term "identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any--(1) Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device. Other Key Concepts 18 Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. 9

Who is covered? 19 Financial Institution is defined in the same way as in 15 U.S.C. 1681a(t). Creditor has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. What is covered? 20 Covered account means: (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Account means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes: (i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account. 10

What is required? 21 Each Creditor must periodically determine whether it offers or maintains covered accounts. This must include a risk assessment to determine whether it offers or maintains covered accounts taking into consideration: The methods it provides to open its accounts; The methods it provides to access its accounts; and Its previous experiences with identity theft. Written Program 22 Financial Institutions and Creditors that offer or maintain one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft. 11

What Factors Can be Considered When the Program is Created? 23 The Program must be appropriate to the size and complexity of the Financial Institution or Creditor and the nature and scope of its activities. What Must the Program Include? 24 The Program must include reasonable policies and procedures to: Identify relevant Red Flags for the covered accounts that the Financial Institution or Creditor offers or maintains, and incorporate those Red Flags into its Program; Detect Red Flags that have been incorporated into the Program of the Financial Institution or Creditor; Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. 12

Continued Administration and Necessary Approvals 25 A Creditor must also provide for the continued administration of the Program and must: Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors; Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program; Train staff, as necessary, to effectively implement the Program; and Exercise appropriate and effective oversight of service provider arrangements. Other Key Elements of the Program 26 The Program must also assist the Creditor in: Identifying Relevant Red Flags; Detecting Red Flags; Preventing and Mitigating Identity Theft; Administering the Program; Complying with Other Applicable Legal Requirements; Addressing Alerts, Notifications or Warnings from a Consumer Reporting Agency; Identifying Suspicious Documents and Suspicious Personal Identifying Information; and Identifying the Unusual Use of, or Suspicious Activity Related to, the Covered Account. 13

New Guidance from the FTC 27 There have been several documents released by the FTC that have provided additional guidance, but open questions remain. Effective Date 28 November 1, 2009? 14

Potential Litigation 29 Both the American Bar Association, and the American Medical Association, have threatened litigation over the definition of creditor. Creating a Compliance Plan Potentially Relevant Policies 30 Privacy policies Employee policies Business partner policies (e.g., contract policies) Document retention policies (e.g., destruction of records containing sensitive personal information) Incident response policies 15

Prevention 31 Technologically Protect your systems Work with (certified) vendors and other parties like Visa Visa s information security standards ISO 17799 Information Security Programs Contractually Two key contracts are merchant bank and POS vendor Require certifications as a condition Internally Implement appropriate policies Educate employees about handling inquiries What is reasonable security? 32 Legislative history says there are no specific mandates; no bright lines States there will be compliance uncertainty Goal is to allow industry to exercise its own judgment Reasonable measures must be appropriate to the nature of the information This obligation expressly applies to contracts involving data sharing 16

Information Security and Privacy: A Practical Guide to Federal, State and International Law 33 Privacy Takeaways 34 Assess what information is being collected Think through the types of data you are collecting Determine what laws apply to your company based upon the information it collects, where it does business and the identity of its customers 17

Privacy Takeaways 35 Make sure that employees understand that they do not have an expectation of privacy in their use of your e-mail and electronic systems Consider what security systems you have in place and what securities measures you are requiring third parties to have Consider restrictions upon the use of removable media Make sure your privacy policy makes the necessary disclosures Privacy Takeaways 36 Reserve the right to modify your privacy policy Ensure that employees are aware of your policies Assess whether you have a responsibility to report a data security incident Consider what security systems you have in place and what securities measures you are requiring third parties to have Determine if you are sending or receiving data to countries that have higher privacy and security standards 18

37 Questions and Answers Presenter Contacts 38 Andrew Serwin 619.685.6428 aserwin@foley.com Dan Bachrach 407.244.3261 dbachrach@foley.com Douglas Kelly 407.513.6870 Douglas.Kelly@vacationclub.com 19

Thank You 39 A copy of the PowerPoint presentation and a multimedia recording will be available on our website within 24 to 48 hours: http://www.foley.com/news/event_detail.aspx?eventid=2903 We welcome your feedback. Please take a few moments before you leave the web conference today to provide us with your feedback. http://www.zoomerang.com/survey/?p=web229km4t97d3 20

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback