FTC’s Red Flag Rule – Identity Theft

Last year the Federal Trade Commission (FTC) and several Federal Banking agencies issued a new regulation named the Red Flag Rule, which is intended to reduce the risk of identity theft.

Background on Red Flags Rule

The FTC issued the Red Flags Rule under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act), which amended the Fair Credit Reporting Act (FCRA). The rule requires “financial institutions” and “creditors” that hold “covered accounts” to develop and implement an identity theft prevention program” for new and existing accounts.

The Red Flags Rule is actually three different but related rules, one or two of which apply to many colleges and universities:

(1) Debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. (This provision is likely not applicable to colleges and universities, because, as discussed in the preamble to the Red Flags Rule, the definition of “debit card” specifically does not include stored value cards. However, this provision could implicate student ID’s that also can be used as part of a national debit card network, such as Visa or MasterCard.)

(2) Users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency. (This provision applies to colleges and universities when they use consumer reports to conduct credit or background checks on prospective employees or applicants for credit.)

(3) Financial institutions and creditors holding “covered accounts” must develop and implement a written identity theft prevention program for both new and existing accounts. (This provision likely applies to many colleges and universities).

This rule adds to the burden institutions already have having to comply to law already on the books, including FERPA, HIPPA, GLBA, DMCA and Federal Copyright Laws.

Even though there needs to be something done about the escalating problem of identity theft, I seriously doubt that additional laws are going to make a difference, specially if those laws go too far.

With the extensive laws already on the books, what really need to happen is for them to be enforced. Too many times institutions take for granted these laws and only go as far as writing some paragraphs and naming it their policy.

No real enforcement of any kind, but instead drafting a piece of paper to say something was done when the shut hits the fan.

Examples need to be made from the big guy to the little guy, to send a message that the customer information these institutions hold is valuable and not taking appropriate steps to guard it will be dealt with swiftly and with severe consequences for management of those institutions.

Getting back to identity theft, one of the major reasons identities are stolen is for fraud.

LifeLock’s approach to this offers some interesting lessons on the way credit is issued.

In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta, credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up — LifeLock, Debix, LoudSiren, TrustedID — that automatically renew these alerts and effectively make them permanent.

This method is simple and straight forth.

This is what policy should be about. Simple to write, simple to implement and simple to execute.

Some examples of this within a company could be:

  1. Scanning PC’s for Social Security Numbers (SSN) and Credit Card numbers and erasing them using software like Identity Finder.
  2. Wiping all computer hard drives and media before it leaves the premises for disposal. Darik’s Boot and Nuke is a tool which securely wipes information on media.
  3. Implement policies for the centralization of data, making IT responsible for the security and integrity  of the data. (Its not feasible for IT to protect an undetermined number of data repositories)
  4. Implement polices preventing the communication of SSN’s and credit card information via e-mail.
  5. Enforce password changes on a regular basis.
  6. Restrict outbound access from servers, only allowing limited access for required tasks.
  7. Deploy Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS)
  8. Deploy solutions capable of logging transactions and monitor them.

The original date for compliance for the new Red Flag Rule was November 1, 2008; which has now been extended to May 1, 2009.