New FTC rules aimed at identity theft prevention require compliance by financial institutions and others; FTC enforcement extended to May 1, 2009
March, 2009
With the growth in identity theft and significant security breaches in large organizations, U.S. agencies have increased their scrutiny of business efforts to maintain the confidentiality of protected private information and have adopted new regulations to help combat identity theft. As of May 1, 2009, many businesses will be required to have procedures and policies in place to help combat identity theft by responding to a laundry list of "red flags" that indicate a security breach is likely. These are part of the Federal Trade Commission's "Red Flag Rules."
In 2007 the "Identity Theft Red Flags Regulations and Guidelines"[1] were promulgated pursuant to Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) by the FTC, the federal bank regulatory agencies (Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision) and the National Credit Union Administration to require financial institutions and other creditors to develop and implement identity theft prevention measures. The final rule was effective January 1, 2008, and it required "covered" entities to comply by November 1, 2008. The deadline for FTC enforcement was subsequently extended to May 1, 2009.
The rule requires development and implementation of written identity theft prevention programs, which include measures for identifying, detecting, and responding to patterns, practices or specific activities (the red flags) that could indicate identity theft. The FTC guidelines list examples of red flags falling into several categories, including:
- Alerts notifications and warnings from consumer reporting agencies;
- Suspicious documents;
- Suspicious addresses or other suspicious personally identifying information;
- Unusual use of, or suspicious activity relating to, a covered account;
- Notices from consumers, victims of identity theft, law enforcement agencies or other businesses about possible identify theft in connection with covered accounts
The identity theft prevention program to be adopted by the financial institution or creditor must contain reasonable policies and procedures to:
- Identify relevant red flags for covered accounts and incorporate those red flags into the Program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft
Many businesses in addition to financial institutions will be subject to these rules
The Red Flag Rules apply primarily to financial institutions, but they also apply to any "creditor" with "covered accounts." The definition of "creditor" extends to any entity that "regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit." Creditors would include finance companies, auto dealers, mortgage brokers, utility companies, and telecommunications companies. Note that acceptance of credit cards as a form of payment does not, in and of itself, make an entity a "creditor."
The definition of "covered account" extends to "(1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft." The definition of "account" was deliberately not tied to financial institutions, the commentary to the final rule explains, to make clear that "covered account" will indeed extend to relationships with non-financial institution creditors. Thus, the rule will apply to automobile loans, mobile phone accounts, and utility accounts, along with financial services accounts such as brokerage accounts, credit card accounts, checking accounts, mortgage loans, and savings accounts.[2]
Part of an Overall Data Security Policy
Compliance with the Red Flag Rules is just one part of a creditor entity's consumer privacy and data security protection obligations. These rules can give those businesses as well as businesses who may not be "creditors" under the rules some further guidance in how to adopt best practices to protect consumer private information. A business's failure to do so could constitute unfair trade practices under the Federal Trade Commission Act, which authorized and empowered the FTC to regulate U.S. interstate commerce. The FTC has advised that businesses generally have a duty to protect customer private information and must adopt reasonable data security measures to make sure they live up to the promises they make to consumers in their own privacy policies. Business' failure to do so could constitute an "unfair trade practice" subject to FTC investigation and potential prosecution.
But what are the standards for maintaining the security of customer data, particularly if HIPAA and GLB do not apply? Businesses may need to look to state regulations for a complete answer to the statutory requirements in the US. Additional industry standards may be important, and perhaps the most important data security standard in the U.S. is the Payment Card Industry's Security Standards Council Information Data Security Standard (PCI DSS).[3] Adopted by a consortium of the major credit card companies operating in the US, this is a "set of comprehensive requirements for enhancing payment account data security" and was supported "to help facilitate the broad adoption of consistent security measures on a global basis."[4] The set of standards requires all "merchants" (i.e. anyone accepting credit card payments) to implement the PCI DSS. The standards are scaled to annual transaction volume, and they are built around sets of key principles for maintaining data security best practices. Some of these key principles include maintaining firewalls around networks to secure consumer data, avoiding vendor-supplied default password systems and implementing customized password and encryption systems, encrypting cardholder data transmissions, implementing and updating anti-virus software, restricting access to cardholder data, monitoring access to network cardholder data, and implementing regular network security testing features.
While the PCI DSS is not a U.S. federal government-mandated standard, it is notable that several state government legislatures and agencies have considered amending their data breach notification laws to include liability for failure to adopt some of the safeguards the PCI DSS would require. Most notably, Minnesota amended its data breach notification law in 2007[5] to specifically prohibit companies from retaining security codes and certain additional kinds of credit card data after processing transactions; these prohibitions mirror some of the principles outlined in the PCI DSS. The statute requires companies to reimburse credit-card issuing financial institutions for costs incurred following a data breach, and it allows financial institutions to bring private actions against merchants for noncompliance.
Similar legislation has been considered in other states.
Conduct regular audit and review of data security compliance and privacy policies
Analyzing compliance with the new Red Flag Rules, along with PCI compliance and other data security measures, should be part of an organization's regular and ongoing privacy and data security protection measures. The IP and Data Security lawyers at Bullivant help clients with data security and privacy audits, review of compliance with new and evolving standards and requirements, and dealing with the legal consequences of a data breach and other aspects of IT and IP risks.
[1] Final rulemaking: 72 FR 63718.