Welcome to WebmasterWorld Guest from 126.96.36.199
According to this member, effective November 1, an FTC ruling states that any business owner without a policy and procedure in place in compliance with the Red Flags Rule is liable for up to a fine up to $1.5 million.
At first glance it looks like it applies only to banking institutions and creditors - but no [ftc.gov]:
A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or "red flags" – of identity theft.
A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point.
It's in effect Nov. 1.
Nov 2007 makes it old news, but I'm just investigating this myself, I'm a developer, not a lawyer. Has anyone else dealt with the Red Flags Rule, implemented policies? What does all this mean to small businesses?
Any resources that would simplify the complexity of understanding a small business owner's liabilities would be appreciated . . .
Just returned from a full presentation on the Red Flags Rule and have a bit more info. Keep in mind that PCI compliance is only a small part of this ruling that went into effect Sunday, Nov. 1.
If you handle **any** personal information - names, addresses, phone numbers - this applies to YOU. If you have employees, you will also have to have a set of employee policies and procedures.
This ruling mandates that you must have in place, and maintain proof of execution of, policies and procedures for managing sensitive information. This includes but is not limited to phone numbers, names, addresses, and **any** personal information, online or offline. A large part of compliance is what you do with that information after you are done with it.
This affects businesses in varying degrees, from small to large. Larger companies will have to have individual policies for each aspect of their business - administrators, techs, office personnel, and production. Multi employee businesses will have to have signed documentation from each employee verifying they understand the policies and adhere to them.
Some examples of trouble areas:
- Storing customer info in your web server database (even non CC)
- Plain paper copies of online orders with customer address, phone, etc.
- Emails left in your inbox and stored on your business computer. Side note, are you using Yahoo/MSN/Gmail and a web interface to receive emails of orders, etc., so that your customer's info is voluntarily placed on a remote server? I'm sure this is a **big deal** as you have absolutely no control over that server.
- Technical security measures of your internal networks, web servers, etc., of which PCI compliance is only a small part.
- Access to your business's computer and the measures you use to control said access.
- Policies and procedures to identify a "red flag" indicating a possible breach.
- Policies and procedures in place in the event of an **actual** breach.
I'm still a bit gray on the conflicting requirements of customer information. Credit card companies require that you keep purchase receipts - sans full CC info - for up to two years (correct me) after the date of the transaction. A possible "working policy" would be that these receipts, which include plain copies of the transactions/orders, are stored in a secure location (bank lock box) during that time, and would also cover how they are transported from their place of origin (your business) to the secure location. Then after this time has expired, your policy must outline the specifics of document destruction.
"Simple enough. I shred all my documents, burn the clippings, and cast them to the wind under the cleansing light of the full moon."
In an audit, they would ask for documented proof that this has been done. The scenario presented was like this:
An auditor comes into your business, and says that Jane Doe has had her identity (or credit card info) stolen and the investigation leads to your business as the point of breach. We want to see your policies and procedures, and proof that you are executing them.
Fines can be up to 1.5 million. Doesn't matter if it was your business responsible for the breach or not; if you don't have the policies and procedures, and proof you are executing them, you're "guilty" by default.
This speaker has his own motivations - but his company is certified on various levels in document destruction. For $17 - $95 month, depending on the volume, he brings a **locked** bin to your location with a slot. You deposit all documents in this bin to avoid casual observation. When picked up, you get a certificate of destruction. His drivers are licensed and bonded, every step of their work is documented from pickup to destruction.
In the above scenario, you present the policies and the cert, and you're off the hook (i.e., if there is a breach, it's now his ball.)
The bitter irony of all this is that the FTC task force is structured to use these fines to fund their enforcement. Same way local law uses "speed traps." Makes me ill . . .
They are likely to hit the low hanging fruit first, small businesses will be last in line and may never see this. Like the businesses who collect CC info via email or store CC info on their servers in violation of PCI compliance, you may sail by forever without getting audited. Or you might not. . . .
After initially posting this I searched the ftc.gov site for more info and like all .gov sites, I found a bunch of legalese and was doing circles in minutes. This gentleman pointed me to
(Oh . . . THERE it is!)
The "how to" link has more information. (a 21 MB PDF, does the government ever hire anyone competent enough to optimize PDF documents?)
The do-it-yourself template is a questionnaire for policies and procedures, also a PDF, 196K. You should review the first document first.
I presume the lack of response to this thread is due to no one hearing of this, or not moving a rock until you have to. If all this is correct, this is huge.
Someone tell me I'm wrong.
We do have a few A/R accounts for select customers, so I guess we fall into the "creditor" category. This seems like a huge undertaking to comply. I can't believe I'm just hearing of this for the first time.
The PDF file states that it was in effect in Jan. of 2008.
That was the original draft, which has been extended (I think?) three times. Final ruling went into effect Oct. 31, which means it begins Nov. 1.
The "hook" - or so I am told - is that it **appears** to only apply to banking institutions and creditors, but buried in the legalese typical of government shenanigans is the verbiage that means "anyone who manages someone else's information." See link and quote at "no" in first post.
Although it is not stated in that document, my source claims that the reason for the delay is the same as my confusion over this issue: to clarify the definition of "creditor" and "covered accounts." According to him, the movement is to dispense with all that and make it painfully clear, that the Rule will apply to anyone who handles customer information of any kind.
Until the rules are finalized and a task force is put into place, prosecution currently falls under the jurisdiction of the Attorney General.
I also have an unconfirmed report of the first "victim" in our state, a Portland business was fined $11,000 for sloppy management of personal data. Going to see if I can get a verified citation.