Monday, January 25, 2010

Are You Ready to Red Flag?

THE RED FLAGS RULE

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic elements, which together create a framework to address the threat
of identity theft.

First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.

Second, your Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.

Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your Program into the daily operations of your business. Your board of directors (or a committee of the board) has to approve your first written Program.

If you don’t have a board, approval is up to an appropriate senior-level employee. Your Program must state who’s responsible for implementing and administering it effectively. Because your employees have a role to play in preventing and detecting identity theft, your Program also must include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the Rule, your Program also must address how you’ll monitor your contractors’ compliance.

The Red Flags Rule gives you the flexibility to design a Program appropriate for your company – its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could have a more streamlined Program.

Technorati Tags:

No comments: