Safeguarding client data is not optional. It’s the law.

The legal requirement to safeguard client data was the central theme of CNA’s January 2009 Risk Control bulletin, which explored the proliferation of state and federal laws related to client data security. The bulletin also provided guidelines for establishing and maintaining systems that provide appropriate safeguards.

 

Soon, however, the stakes will be raised. On May 1, 2009, new federal regulations enforced by the FTC come into effect – the so-called Red Flag Rules – that require businesses to take pro-active measures to detect and prevent identity theft involving client data. Financial institutions, which are not regulated by the FTC, have been subject to enforcement of the Rules since November 1, 2008. The consequences of non-compliance are significant – civil penalties of up to $2,500 per violation, which could quickly add up to painful amounts if a business has a large number of customer accounts and each account is considered a separate violation.

 

This bulletin provides an overview of the Red Flag Rules. An appendix provides guidelines on implementing the systems that can help comply with the law.

Red Flag Rules

The Federal Trade Commission and other federal agencies have issued joint rules and guidelines to implement certain sections of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Known as the Red Flag Rules, these rules and guidelines require various entities to develop procedures for detecting and preventing identity theft. Surprisingly, it appears that the Rules apply not just to banks and other traditional financial institutions, but also to a number of potentially unsuspecting businesses of all sizes.

 

As written, the Rules apply to “financial institutions” and “creditors” with “covered accounts.” Without going into all the details of the definitions, a covered account is so broadly defined that just about any business that tracks transactions with customer-identifying information can be said to create “covered accounts.”

Obviously, “financial institutions” include banks, mortgage lenders and S&Ls. It is the definition of “creditor” that gives the Red Flag Rules such broad application. In statements to clarify the meaning of the Rules, the FTC noted that “any person that provides a product or service for which the consumer pays after delivery is a creditor.¹

This extremely broad definition of “creditor” could apply to virtually any business that allows customers to defer payment and pay on credit. For example, some retail businesses offer installment sales agreements to individual customers in which they offer free or low-cost financing. Professional service businesses may allow individual customers to defer payment over time, with or without financing charges. In either case, these businesses would likely be viewed by the FTC as creditors. Thus, the Red Flag Rules are sweeping in their scope, going far beyond the traditional financial and banking industry entities.

Whether or not the Rules apply to businesses that merely accept credit cards for payment is an open question, because there is no definitive interpretation of the Rules on this point. However, the FTC has acted aggressively in the past with privacy issues, for example, internet privacy statements in the early to mid-2000s related to the security of consumer credit card information. We expect that that this posture will continue, sweeping all businesses accepting credit cards for payment into the purview of the Red Flag Rules.

 

What are the Red Flags?

FACTA defines a red flag as a pattern, practice specific activity that indicates the possible existence of identity theft. The regulations provide guidance by listing five specific categories of red flags:

1. Alerts, notifications or other warnings received from consumer reporting agencies or service providers, such as fraud detection services

2. The presentation of suspicious documents

3. The presentation of suspicious personal identifying information, such as a suspicious address change

4. The unusual use of, or other suspicious activity related to, a covered account

5. Notice from customers, victims of identity theft or law enforcement authorities

Compliance: What Does Your Company Need To Do?

If the Red Flag Rules apply to your business, you are required to implement a four-pronged identify theft prevention program for covered accounts.

 

Identify. You must identify and incorporate into your identify theft program any relevant patterns, practices and activities that are red flags that could signal possible identity theft.

 

Detect. You must develop policies and procedures to detect red flags.

Respond. You must respond to any red flags that are detected, in order to prevent and mitigate identity theft. If red flags are detected, the guidelines recommend monitoring accounts for evidence of identity theft, contacting the customer, calling law enforcement and changing any security device that permits account access.

Update. You must update your identity theft program periodically to handle any changes in risks to customers from identity theft, or even risks to the soundness of the covered entity itself. Note that credit card issuers and users of consumer reports of all kinds, which include credit reports, have their own separate requirements, but these go beyond the scope of this bulletin.

Coordination with Industry- and

Profession-Specific Privacy and Security

Rules

While the Red Flag Rules apply broadly to financial institutions and creditors with covered accounts, there are other privacy-related laws, regulations and rules that apply to specific industries and professions. For example:

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to healthcare providers, health plans and healthcare clearinghouses and govern the handling of individually identifiable health information.

• The Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB Act) resulted in the issuance of the Privacy and Safeguards Rules by the FTC. These apply not only to traditional financial institutions such as banks and S&Ls, but also to non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services and debt collectors.

• Certain professions, such as the legal and accounting professions, also have ethics rules and regulations applicable to the handling of confidential client information.

This proliferating body of laws, regulations and rules underscores the importance of a coordinated approach to risk control.    Businesses and professionals should designate an individual within their firm who is responsible for instituting and monitoring appropriate controls to ensure compliance with all privacy and data security requirements.

Summary

The Red Flag Rules are one more sign that the landscape of privacy law is changing rapidly. The trend is clearly toward laws that require pro-active safeguards and that are broadly applicable to all industries.

 

As previously noted, non-compliance with the Red Flag Rules may result in civil penalties imposed by the Federal Trade Commission. However, it does not take a tremendous leap of logic to foresee plaintiffs’ attorneys using the Red Flag Rules as a basis for the standard of care in a negligence action.

In short, those who ignore these Rules do so at their peril.

 

1. FTC Enforcement Policy Statement, http://www.ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf

 

Theodore J. Kobus III is a shareholder in Marshall, Dennehey, Warner, Coleman & Goggin’s Philadelphia office. He chairs the firm’s Technology, Media & Intellectual Property Practice Group.

Mark Silvestri is the Product Manager for the CNA NetProtect® suite of information risk insurance products.