Security

FACTA "Red Flags Rule": Concern for security managers?

A new security compliance deadline arrives on November 1, 2008. If your organization is one of the covered entities, there are Red Flag rules concerning PII that you need to know about. Tom Olzak covers the basics of FACTA (U.S. Fair and Accurate Credit Transaction Act of 2003) for security managers.

November 1, 2008 is the deadline for compliance with the "Red Flags Rule" of the U.S. Fair and Accurate Credit Transaction Act of 2003 (FACTA). The purpose of the FACTA is placement of an identity theft identification and response requirement on U.S. businesses. Although most of the Red Flag requirements apply to hiring and credit processing practices as well as those related to health facility admissions, PII and ePHI protection are also included. So what does this mean to security managers? It depends.

What is the "Red Flags Rule?"

Before looking at its impact on security controls, we need a thorough understanding of what the Red Flags Rule actually covers. According to an article posted at the American Hospital Association News site, the rule consists of three parts:

  1. Debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.
  2. Users of consumer reports must develop reasonable policies and procedures to respond to any notice of an address discrepancy they receive from a consumer reporting agency
  3. Financial institutions and creditors holding consumer or other "covered accounts" must develop and implement a written identity theft prevention program that covers both new and existing accounts.

The basic premise for most organizations is simple. Any entity that provides delivery of products or services with delayed payment—either billed later or via installments—is subject to the rule, a covered entity. An organization is also a covered entity if it uses credit checks for vetting new employees.

Covered entities are required to develop processes to verify the identity of consumers (covered accounts) when questions about provided PII arise. These questions, or Red Flags, are the core of the process. The Federal Trade Commission (FTC)—the enforcement agency—and the FACTA provide a list of possible Red Flags:

  • Alerts, notifications or Warnings from a consumer reporting agency and supervisory guidance
  • Suspicious documents and suspicious PII or ePHI
  • Unusual use of or suspicious activity related to a covered account
  • Notifications from customers, victims of identity theft, law enforcement, or other persons regarding possible identity theft connected with covered accounts
  • Any other suspicious pattern, practice, or activity that appearing within the context of a specific organization's everyday activities that points to an identity theft

Covered entities must institute a formal, written Identity Theft Prevention Program for dealing with potential identity theft situations, which includes:

  1. Policies and procedures to prevent and mitigate risks, to both the covered entity and victims, associated with identity theft
  2. A member of senior management or the board of directors assigned to provide oversight of the program
  3. Delivery of a compliance report, at least annually, which details the organization's program and level of compliance
  4. Periodic updates to the program
  5. Development of an identity theft incident response process
  6. Contractual language and oversight practices that ensure appropriate information security or any third party with which sensitive data is shared.

What does this mean for security managers?

Although most requirements under the FACTA deal with business identify verification processes, there is still a requirement to ensure stored electronic credit PII or ePHI is properly protected against theft. Businesses compliant with previous privacy regulations, like HIPAA and the PCI DSS, for example, should not have to worry too much about one more privacy regulation. On the other hand, those who have not yet put necessary controls in place to protect employee, customer, patient, or other forms of covered accounts have one more reason to accelerate controls implementation.

In other words, security managers who are already compliant with past regulatory deadlines should only have to integrate existing policies, procedures, and risk assessments into the overall Identity Theft Prevention Program required under the Red Flags Rule. They might also provide assistance to business managers in the area of policy development, risks associated with various types of verification techniques (i.e., electronic forged documents), and development/implementation of an employee awareness program.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks