The FTC has found only 59 Identity Theft Red Flag Rule violations in all of the 1000's of Credit Unions under their influence since January 2008 (Red Flag Rules enforcement date). The most prevalent violation found was not having established a Red Flag Identity theft program at all. The 55 Credit unions represent less than 1% of the total credit unions that fall under the jurisdiction of the FTC. So is the FTC really taking Identity Theft seriously? Are they making an impact?
This smells fishy to me, are we really being led to believe that 99% of all Credit unions are in compliance with the identify theft rules set forth in Red Flag? That would be a first in security; instant 99% compliance as soon as rule enforcement takes effect! It would also lead one to believe that your Identity would be pretty safe with these establishments that are being diligent in their compliance of the identify theft prevention rules set forth by the FTC. Being not quite convinced everything could be this rosy, I looked under the covers of Red Flag a bit more to see what's really happening. What I discovered is quite frightening.
The information above came from a recent, exclusive interview, Tom Field of Bank Info Security had with National Credit Union Administration (NCUA) Chairwoman Deborah Matz. Here is a snippet of the relevant question
"Field: After nearly one year of examination for compliance, how are credit unions fairing with ID Theft Red Flags? What works? What needs more work?
Matz: Since January 2008, 59 violations of the IT Theft Red Flags rule have been reported in 55 credit unions. The predominant violation is failure to establish and implement an ID Theft Red Flags program. Total credit unions in violation of the rule represent less than 1% of all federally insured credit unions, indicating that credit unions have overwhelmingly come into compliance. NCUA remains committed to ensuring that those credit unions without proper Red Flag programs come into compliance as soon as possible. Like our Immediate Past Chairman Michael Fryzel, I believe it is important for credit unions to review their Red Flag programs on a regular basis to ensure their …"
The sentence I highlighted in italics above is the most interesting to me. Matz postulates that because DISCOVERED violations are less than 1% that somehow indicates widespread compliance with red flag rules. Now if the FTC was performing very diligent compliance checking of Credit Unions, I would feel more comfortable with this cause and effect relationship Matz is assuming. However, by their own admission the FTC is NOT performing compliance checks nor do they provide specific Identity theft prevention rules to comply against. You get to make up your own using their guidelines in the Red Flag Rules.
One other point is that even if the FTC were to achieve 100% compliance the results to the consumers would be negligible at best. Why you ask? Well because the Red Flag rules require a company to develop a written only policy on how they would go about protecting your identity. No actual implementation of this written policy is being enforced. So write up your ID theft prevention policy, or copy one from the Internet. Send it to all the officers of the company via email, have a briefing on it internally, put the policy in a drawer, and voila your now Red Flag Rule compliant with the FTC! Ok, so I'm being a bit crass, but it's not far from the real truth.
Here are some snippits taken from the FTC Red Flag Rules Q&A website that should startle you. In a nutshell, the government's attempt to do something about identity theft with red flag rules amounts to a bunch of paper work for the lawyers and not much else. We need true identify theft prevention laws/rules from the FTC, not a political checkbox that implements no real change.
Can a consumer sue us under the Red Flags Rule?
No, there is no private right of action. Only certain federal and state government agencies can enforce the Rule,9but consumers can file a complaint with the FTC about a company’s Program. The FTC uses complaints filed at www.ftc.gov to target its law enforcement efforts.
If my business is covered by the Red Flags Rule, what will we need to show the FTC to prove we’re complying? Is there a specific audit document we have to file or have available if asked?
The FTC does not conduct routine compliance audits. But the FTC can conduct investigations to determine if a business within its jurisdiction has taken appropriate steps to develop and implement a written Program, as required by the Rule.
What are the penalties for noncompliance?
The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court, on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation. Each instance in which the company has violated the Rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.
How To Comply
The Rule doesn’t tell you specifically what your red flags program must look like. Instead, it gives you flexibility to implement a program that best suits your business or organization, as long as it meets the Rule’s requirements.
Your starting point for developing a program is the Guidelines issued with the Red Flags Rule, available at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.Under the Red Flags Rule, which went into effect on January 1, 2008 *, certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule — enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) — you may need to develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.
Penalties for Noncompliance
Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties. But there’s an even more important reason for compliance: It’s just plain good business. It assures your customers that you are doing your part to fight identity theft.
For the last couple years the FTC has struggled (and continues to struggle) with an awareness campaign designed to alert businesses who need to be in compliance. Credit unions are only a subset of the businesses that need to be in compliance with Red Flag Rules.
So are you feeling all warm and fuzzy knowing that the FTC is doing their darndest to protect your identity from theft? Yeah me too!
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Fear mongering?
Yes, something does smell fishy. This article stinks of FUD.
FUD?
What exactly is FUD about it? You should already be afraid of identity theft, this article is just about how the government program to help with this is just smoke and mirrors. Surely you are not surprised by that fact? Maybe what you should have said is "yeah, government as usual what's new"
-Jamey
White Paper
Wiley Rein & Fielding LLP in Washington, D.C. specializes in privacy and information security litigation and counseling for companies facing compliance obligations in all areas. If you want a copy of this white paper I will send you one,along with it I will send you the best solution. These problems cross industry lines - and virtually no industry is immune, whether commercial,government or non-profit. The white paper states a reasonable security program, as mandated by FTC, must include the following components: 1). Have a information security officer, 2).training employee's on the prevention, detection and response to attacks.3). Design and implementation of safeguards to control the risks in this risk assessment. 4). Evaluation and adjustments of the program in light of the results of testing and ongoing monitoring of the program. stankania@yahoo.com
Post new comment