As of this writing we are less than 60 days out from The Identity Theft Red Flags rule compliance date.  This federal mandate’s operative word is “Prevention” – as in an Identity Theft Prevention Program.

Simply stated the Identity Theft Red Flag rule makes it incumbent upon Financial Institutions and their creditors to take proactive steps to prevent Identity Theft.

This article speaks to being proactive with regard to disseminating a company’s compliance to its clients or customers.  The first step to that is an in house education program that gets everyone ‘on board’ with the understanding of what is compliance. 

Financial Institutions are defined as: any organization that maintains Personal Financial Information regarding it’s Clients or Customers.  Such entities include (but are not limited to) Schools, Credit Card Firms, Insurance Companies, Lenders, Brokers, Car Dealers, Accountants, Financial Planners, and Real Estate Agents.

It is now time to take a moment and 'take stock' as to whether or not ANY personal or corporate financial information is collected, maintained or used by your organization.  Such things to consider are personal or corporate identification numbers (such as Social Security or Federal ID numbers or addresses) credit card numbers, checking or savings account numbers, drivers’ license numbers, healthcare benefit identification numbers.  These are just a few of the identifiers that companies need to be concerned about having 'ownership of' as part of doing business.

Although I don’t profess to know much about computer ‘hacking’, I do know a thing or two about corporate Identity Theft.  This article, by Chana Schoenberger of Forbes magazine, illustrates the ease at which ‘hackers’ can get into computer networks and do pretty much anything they want.  The ‘hackers camp’ mentioned in the article instructs IT departments on what they are up against.

According to a survey by the FBI and The Computer Security Institute; half of all corporate and government computer networks have been hacked. The scary part: Another 15% have no idea whether they have ever been violated.

As an Identity Theft expert, it is critical to realize the harm that ‘hackers’ can inflict on information systems, operations, financials and maybe most importantly personal and client information.

The federal laws, FACTA, HIPAA, GLB and state laws prohibit the misuse of such information.  Why is that important?  Not for the ‘hackers’, but for the companies who’s information is compromised and lost.  It does not matter how that information is purloined, just that it was lost.  What happens if those records are misused? 

Civil and Criminal penalties.  (Read: $$ and Jail time)

Now, as well as keeping your in house records secure, it is imperative that computer systems are also secure.

The latest book by Dr. Markus Jakobsson, principal scientist at Palo Alto Research Center and an adjunct associate professor at Indiana University, and Zulfikar Ramzan, a Senior Principal Researcher in the Advanced Threat Research Group at Symantec, once again reiterates the challenges going forward that businesses are having and going have with regard to malware or crimeware. The accessing of computers and computer systems by criminals.

It is pointed out by the authors that this, in the past, has been hobby driven with no organized regimen to infect and steal information. My experience, research, and interviewing of clients and companies points to what the authors expect to happen in the future. An organized, criminally and financially driven attempt (and might I add successful intrusion) to harvest data for the specific purpose of using that data for financial gain.

Folks, the threat is already here and coming to a computer, or as far as corporations are concerned, a computer system near you.

Their view is a negative one and with good reason, as the Ebays and the Paypals of the world shore up their computer systems against these threats the low hanging fruit of other, less vigilant corporations will be exposed and their data/information stolen.

Remember that the FACTA, HIPAA, and GLB Federal laws are put in place to prosecute those companies that have information breaches and that information is used. It means dollar$$ and jail time for the Executives.

Hopefully a word to wise and vigilant is sufficient. Protect your companies and your livelihood against these organized criminals.

In order to reduce the threat of data losses and their consequences the industry has suggested the following minimal set of practices.

• Do NOT keep credit card information or numbers on your clients unless absolutely necessary.
• If you must keep NPI (Non Public Information), develop a written security plan and train ALL of your employees on a regular basis.
• Lock all file cabinets and desk drawers that contain sensitive information, whether it's the clients', employees, or the business'.
• Practice the "Clean Desk" policy: all desks must be cleaned off at the end of the day.
• Require employees to log off their computers at the end of the day or if they are going to leave their workstations for a prolonged period of time. (A good practice is to have computers automatically log off their user after 10 minutes of non use.)
• Require all employees to change their passwords regularly.
• Make it mandatory for all employees to sign a non-disclosure and confidentiality form.
• Have in place an early warning system for potential identity theft incidents and offer it to employees as well as customers. I.E. an identity theft monitoring system that includes proactive legal services.

This recommendation echoes Betsy Broder's (Assistant Director of the FTC's Division of Privacy and Identity Protection) mandate of having a proactive defense in place.

She says: "Unless you're one of a few businesses that are exempt from our jurisdiction we will act against businesses that fail to protect their customer data."

Excerpted from: The Silent Crime - What You need to know about Identity Theft By Michael McCoy and Steffen Schmidt.

"If you experience a security breach, 20% of your affected customer base will no longer do business with you, 40% will consider ending the relationship, and 5% will be hiring lawyers! When it comes to cleaning up the mess, companies on average spend 1,600 work hours per incident at a cost of $ 40,000 - $ 92,000 per victim."

CIO magazine, The Coming Pandemic, May 15, 2006

The above stated fact affects ALL companies in North America that collect and store sensitive NPI (Non-Public Information) about its customers on its computers. What Information? Information such as names, addresses, Social Security numbers, credit card numbers and account numbers that specifically identify the customer or even its own employees.

This information MUST be protected by the business owner as if it is a matter of life and death. That life and death is your business. Which, literally, is the case if that business owner is YOU.

Federal, State, and Local laws mandate that, as the business owner, you must comply with laws such as FACTA, HIPAA, Gramm-Leach-Bliley as well as whistle blower and local laws that define violations of these laws in terms of Dollar$$ and Jail Time for the executives!!

Business Owners know that it is tough enough to run their companies without additional complications. Business Owners also know that when the Federal Government has an issue that they cannot solve, they put it squarely on the back of small business. That same small business that is the backbone of the United States Economy.

Identity Theft is that latest issue!!

Businesses are just as susceptible to identity theft scams as private citizens and probably even more so.

The reason being businesses, typically, have more than one employee and the exposure to 'scams' and Corporate Identity Theft is exacerbated by that number of employees. It's not that they are doing anything bad or untoward (although statistically 60% of Corporate Identity Theft comes from the inside ! - although the cause could be from a repairman or other trade that absconded with some sensitive information that was left out, when they were there to perform some service work). It's just that the employee was trying to be a good employee doing what, they thought, was best for the company.

Phishing, pharming and other ways that Identity thieves attempt (and are successful - much more then you would think) to steal identities has been around pretty much since the internet has been around. THANK YOU, Al Gore !?

The bottom line, if a corporate or Government entity is seeking sensitive information via the internet (or even via snail mail) it is a good idea to check with those entities before providing any sensitive data. (AND NOT BY CALLING OR SENDING THAT SENSITIVE DATA BASED ON THE DOCUMENTATION THE ALLEGED ENTITY CONTACTED YOU WITH.)

As always for more information and to set-up an appointment to discuss these issues and get your company 'up to snuff' contact us!! An ounce of prevention is worth much more than a pound of cure !!

In a previous post, the 'Red Flag Rule' was mentioned as an issue that 'financial institutions' need to be concerned about.

Now, as an outgrowth of that, the PCI Data Security Council (a consortium of companies such as Visa, Mastercard, American Express, Discover and JCB cards) will be enforcing stricter rules as of Jun, 2008.

These Rules are designed to protect data security (within the brick and mortar of the credit card companies) as well as implementing strong access control measures that additionally regularly monitor and test the networks.

Key to this, and a proactive approach, is requiring that an information security policy be put in place. This is done (and is a stringent Federal Trade Commission recommendation) so that educated employees can watch out for and minimize and mitigate the exposure associated with data breaches. It also is designed to hold them accountable for the information that they possess and process.

Calling Indoff is also a good, first step in bringing your company into compliance. Our knowledge of filing systems, storage capabilities, and space planning, along with a program that does assist in mitigating the liability associated with the Federal Law violations (I.E. FACTA, HIPAA, and GLB), shows that you (as a business owner) have put a plan in place to protect clients' data.

 

Once again      (and it should come as NO surprise to anyone), identity theft incidents at America's top banks are running somewhat rampant.

As most large corporations try to hide from or not report these incidents to their clients, this report calls out major financial institutions for their lack of vigilance with respect to this problem.

Bank of America, JP Morgan Chase, Capital One, Citibank and American Express are among the top offenders.

This report was spawned by thousands of consumer complaints to the Federal Trade Commission.

Although the study is from complaints filed for a three month period in 2006, consumer advocates nevertheless hope this first-of-its-kind report turns up the heat on financial institutions to better educate and protect their customers from the threat. (and you know IT IS worse NOW!!)

How does this affect business's? Why should business's be concerned about this?

As we have spoken about before; Corporate Identity theft is more serious and more devastating to a business, because of the far reaching affects of that breach of information. Additionally, Federal Laws come into play when business's have a breach of information issue.

What if you bank or do business with the financial institutions listed? Business's DO do business with a financial institution !! And they are just as 'at risk' as the corporate behemoths mentioned in the attached article.

Then there is the issue of the Federal Trade Commission's 'Red Flag Rule' which states that all financial institutions must implement plans to deal with identity theft issues if they are the 'keeper' of personal information of its' clients. I.E. Names, Social Security Numbers, Account Numbers, etc. This rule went into effect January 2008 and ALL financial institutions must come into compliance by November 1, 2008. That is a lot of catching up to do!!

And it will not be long before the 'Red Flag Rule' encompasses all companies that take financial information from its' clients!! That is anyone who takes a credit card or check for payment for its' services!!

At Indoff, we can help mitigate the liability associated with the potential fines and jail time that come with the Federal Trade Commissions' enforcing of these rules. Call or email me to set up a meeting to discuss and implement a plan!!

As I have spoken about before, Corporate Identity Theft is becoming such a maelstrom for corporations, that the United States federal government is mandating the ALL United States financial institutions implement an Identity Theft Prevention program. This so called 'Red Flag Rule' compliance deadline is November 1, 2008.

First off, financial institutions are defined as Banks and credit unions. But they aren't the only businesses impacted by these new rules.

"This regulation and guidelines really apply quite broadly," says Amy Friend, assistant chief counsel at the OCC (Office of the Comptroller of the Currency and the Office of Thrift Supervision). "Not only does it apply to banks and credit unions, but basically to any entity extending credit, from finance companies down to the local hardware store that offers its customers credit by signing their 'good name' onto a ledger book and paying over time."

What is means for corporate America is that any company that 'takes' credit cards as a means of payment, needs to comply.

At Indoff, we take very seriously our clients and their challenges and even though we may 'just sell' office furniture; we are in reality; problem solvers. This 'Red Flag Rule' WILL become an issue for our clients. Our experience and resolve to get this under control is paramount to our mission.

'Helping Clients with their office environment challenges'

 

Please call me today, so we can discuss a program that will mitigate the liability associated with non-compliance.

Online apparel retailer; Life is Good, Inc. and Life is Good Retail; that collected sensitive consumer information and pledged to keep it secure, has settled its' case with the Federal Trade Commission who asserted that Life is Good's security claims were deceptive and violated federal Law.

The FTC order requires that the Life is Good implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

the FTC charges include:

1) the unnecessary risking of credit card information by storing it indefinitely, in un-encrypted format the was easily readable.

2) Failed to assess the vulnerability of its web site

3) Failed to implement a security defense to its web site to prevent access to the consumer information

4) Did not set up adequate measures to detect unauthorized access to the consumer stored information

Subsequent to these failures a 'hacker' was able to gain access to Life is Good's web site and steal thousands of Life is Good's client's information.