Professional Webmaster Business Issues Forum

Just returned from a full presentation on the Red Flags Rule and have a bit more info. Keep in mind that PCI compliance is only a small part of this ruling that went into effect Sunday, Nov. 1.

If you handle **any** personal information - names, addresses, phone numbers - this applies to YOU. If you have employees, you will also have to have a set of employee policies and procedures.

This ruling mandates that you must have in place, and maintain proof of execution of, policies and procedures for managing sensitive information. This includes but is not limited to phone numbers, names, addresses, and **any** personal information, online or offline. A large part of compliance is what you do with that information after you are done with it.

This affects businesses in varying degrees, from small to large. Larger companies will have to have individual policies for each aspect of their business - administrators, techs, office personnel, and production. Multi employee businesses will have to have signed documentation from each employee verifying they understand the policies and adhere to them.

Some examples of trouble areas:

- Storing customer info in your web server database (even non CC)

- Plain paper copies of online orders with customer address, phone, etc.

- Emails left in your inbox and stored on your business computer. Side note, are you using Yahoo/MSN/Gmail and a web interface to receive emails of orders, etc., so that your customer's info is voluntarily placed on a remote server? I'm sure this is a **big deal** as you have absolutely no control over that server.

- Technical security measures of your internal networks, web servers, etc., of which PCI compliance is only a small part.

- Access to your business's computer and the measures you use to control said access.

- Policies and procedures to identify a "red flag" indicating a possible breach.

- Policies and procedures in place in the event of an **actual** breach.

I'm still a bit gray on the conflicting requirements of customer information. Credit card companies require that you keep purchase receipts - sans full CC info - for up to two years (correct me) after the date of the transaction. A possible "working policy" would be that these receipts, which include plain copies of the transactions/orders, are stored in a secure location (bank lock box) during that time, and would also cover how they are transported from their place of origin (your business) to the secure location. Then after this time has expired, your policy must outline the specifics of document destruction.

"Simple enough. I shred all my documents, burn the clippings, and cast them to the wind under the cleansing light of the full moon."

In an audit, they would ask for documented proof that this has been done. The scenario presented was like this:

An auditor comes into your business, and says that Jane Doe has had her identity (or credit card info) stolen and the investigation leads to your business as the point of breach. We want to see your policies and procedures, and proof that you are executing them.

Fines can be up to 1.5 million. Doesn't matter if it was your business responsible for the breach or not; if you don't have the policies and procedures, and proof you are executing them, you're "guilty" by default.

This speaker has his own motivations - but his company is certified on various levels in document destruction. For $17 - $95 month, depending on the volume, he brings a **locked** bin to your location with a slot. You deposit all documents in this bin to avoid casual observation. When picked up, you get a certificate of destruction. His drivers are licensed and bonded, every step of their work is documented from pickup to destruction.

In the above scenario, you present the policies and the cert, and you're off the hook (i.e., if there is a breach, it's now his ball.)

The bitter irony of all this is that the FTC task force is structured to use these fines to fund their enforcement. Same way local law uses "speed traps." Makes me ill . . .

They are likely to hit the low hanging fruit first, small businesses will be last in line and may never see this. Like the businesses who collect CC info via email or store CC info on their servers in violation of PCI compliance, you may sail by forever without getting audited. Or you might not. . . .

After initially posting this I searched the ftc.gov site for more info and like all .gov sites, I found a bunch of legalese and was doing circles in minutes. This gentleman pointed me to

http://ftc.gov/redflagsrule [ftc.gov]

(Oh . . . THERE it is!)

The "how to" link has more information. (a 21 MB PDF, does the government ever hire anyone competent enough to optimize PDF documents?)

The do-it-yourself template is a questionnaire for policies and procedures, also a PDF, 196K. You should review the first document first.

I presume the lack of response to this thread is due to no one hearing of this, or not moving a rock until you have to. If all this is correct, this is huge.

That was the original draft, which has been extended (I think?) three times. Final ruling went into effect Oct. 31, which means it begins Nov. 1.

[ftc.gov...]

Although it is not stated in that document, my source claims that the reason for the delay is the same as my confusion over this issue: to clarify the definition of "creditor" and "covered accounts." According to him, the movement is to dispense with all that and make it painfully clear, that the Rule will apply to anyone who handles customer information of any kind.

Until the rules are finalized and a task force is put into place, prosecution currently falls under the jurisdiction of the Attorney General.