As businesses increasingly rely on technology to store and maintain data, including customer records, the risk of identity theft also is increasing. The Federal Trade Commission ("FTC"), together with federal banking regulatory agencies and the National Credit Union Administration, has adopted new regulations intended to combat identity theft. Known as the Red Flag Rules, these new regulations require financial institutions and creditors to develop and implement a written identity theft prevention program to identify and combat identity theft in connection with new and existing customer accounts.
If you are an operator that provides service in advance of payment, then your company is a "creditor" because your company regularly extends, renews or continues credit or defers payment for goods or services. The Red Flag Rules apply to each "covered account," which is a customer account involving multiple payments or transactions for which there is a foreseeable risk of identity theft. By contrast, a single, non-continuing transaction, where no ongoing relationship exists, is not a covered account. The Red Flag Rules may also apply to some of your business customers.
All companies subject to the Red Flag Rules are required to implement a written customer protection program by November 1, 2008. This program must be designed to detect a "red flag", which is a pattern, practice or specific activity that indicates the possible existence of identity theft. The FTC has identified five categories of Red Flags and provided a list of examples of the types of red flags that fall under each category. If you are providing interconnected voice or VoIP services, the Red Flag compliance program can be combined with your CPNI program required by the Federal Communications Commission's rules.
The customer protection program must include policies and procedures for: (i) detecting warning signs or "Red Flags" of identify theft, (ii) responding to any such Red Flags in a manner that will prevent or mitigate the identify theft, and (iii) updating the Program. The customer protection program must be managed by the Board of Directors or senior employees of the company if there is no Board of Directors. Also, the customer protection program must provide for staff training and oversight of your company's service providers.
Thank to Attorney Stephen E. Coran of Rini Coran, PC for providing this info.
I have emailed the FTC and would like to know if you are aware of any changes to the rules since the extension of the deadline to May 01, 2009.
Great post. Thank you for sharing this information.
Ken
Extended again, this time to August 1, 2009:
http://www.ftc.gov/opa/2009/04/redflagsrule.shtm
We are trying to formulate a protocol for the red flag identity theft. When verifying a patient, do we make a copy of their photo identification (i.e., drivers license) for their chart, or is it adequate to see the ID and make a notation that it was shown. Please advise.