Security

FACTA "Red Flags Rule": Concern for security managers?

A new security compliance deadline arrives on November 1, 2008. If your organization is one of the covered entities, there are Red Flag rules concerning PII that you need to know about. Tom Olzak covers the basics of FACTA (U.S. Fair and Accurate Credit Transaction Act of 2003) for security managers.

November 1, 2008 is the deadline for compliance with the "Red Flags Rule" of the U.S. Fair and Accurate Credit Transaction Act of 2003 (FACTA). The purpose of the FACTA is placement of an identity theft identification and response requirement on U.S. businesses. Although most of the Red Flag requirements apply to hiring and credit processing practices as well as those related to health facility admissions, PII and ePHI protection are also included. So what does this mean to security managers? It depends.

What is the "Red Flags Rule?"

Before looking at its impact on security controls, we need a thorough understanding of what the Red Flags Rule actually covers. According to an article posted at the American Hospital Association News site, the rule consists of three parts:

  1. Debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.
  2. Users of consumer reports must develop reasonable policies and procedures to respond to any notice of an address discrepancy they receive from a consumer reporting agency
  3. Financial institutions and creditors holding consumer or other "covered accounts" must develop and implement a written identity theft prevention program that covers both new and existing accounts.

The basic premise for most organizations is simple. Any entity that provides delivery of products or services with delayed payment--either billed later or via installments--is subject to the rule, a covered entity. An organization is also a covered entity if it uses credit checks for vetting new employees.

Covered entities are required to develop processes to verify the identity of consumers (covered accounts) when questions about provided PII arise. These questions, or Red Flags, are the core of the process. The Federal Trade Commission (FTC)--the enforcement agency--and the FACTA provide a list of possible Red Flags:

  • Alerts, notifications or Warnings from a consumer reporting agency and supervisory guidance
  • Suspicious documents and suspicious PII or ePHI
  • Unusual use of or suspicious activity related to a covered account
  • Notifications from customers, victims of identity theft, law enforcement, or other persons regarding possible identity theft connected with covered accounts
  • Any other suspicious pattern, practice, or activity that appearing within the context of a specific organization’s everyday activities that points to an identity theft

Covered entities must institute a formal, written Identity Theft Prevention Program for dealing with potential identity theft situations, which includes:

  1. Policies and procedures to prevent and mitigate risks, to both the covered entity and victims, associated with identity theft
  2. A member of senior management or the board of directors assigned to provide oversight of the program
  3. Delivery of a compliance report, at least annually, which details the organization's program and level of compliance
  4. Periodic updates to the program
  5. Development of an identity theft incident response process
  6. Contractual language and oversight practices that ensure appropriate information security or any third party with which sensitive data is shared.

What does this mean for security managers?

Although most requirements under the FACTA deal with business identify verification processes, there is still a requirement to ensure stored electronic credit PII or ePHI is properly protected against theft. Businesses compliant with previous privacy regulations, like HIPAA and the PCI DSS, for example, should not have to worry too much about one more privacy regulation. On the other hand, those who have not yet put necessary controls in place to protect employee, customer, patient, or other forms of covered accounts have one more reason to accelerate controls implementation.

In other words, security managers who are already compliant with past regulatory deadlines should only have to integrate existing policies, procedures, and risk assessments into the overall Identity Theft Prevention Program required under the Red Flags Rule. They might also provide assistance to business managers in the area of policy development, risks associated with various types of verification techniques (i.e., electronic forged documents), and development/implementation of an employee awareness program.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

11 comments
pgit
pgit

How much more of this heavy handed needless nannying are "we the people" going to take? Like HIIPA this is all about government keeping you under their thumb.

LarryD4
LarryD4

Information Usage Currently working on the "law" side, our staff utilizes Credit Bureau reports, Criminal Information Systems and other information gathering web sites to track down information about clients. The nation wide Criminal Justice Information System is pushing to become more inline with same initiative. Many a client, if picked up somewhere else, may use a middle name and a one off social to hopefully spoof the system so the arresting agents are not aware of say a warrant somewhere else. This results in multiple records for the same person across multiple databases. The new search tools now take those systems in to consideration and give back a much wider result with many contributing systems. But this also requires us(the arresting authority) to update alias information, body markings, as well as other used socials to create these links and cross references. So when this type of crime is reported the information being populated in the record, relies heavily on the authority doing the inputting. I guess what I'm trying to say is that you can put policy and applications in place to guarantee information safety. But if there is no real process that guarantees' the inputted data is correct, it's not as affective.

Photogenic Memory
Photogenic Memory

Apologies for sounding like an ignorant savage, LOL! I've never dealt with this type of situation before. I guess if you consider it deals with "other" peoples money; you got to have serious procedures in place to protect them and yourself. It's kinda scary actually! Gotta go; surf up!

LarryD4
LarryD4

I used to get all worked up about the whole security processes at the airports, bridges, etc... after 9/11. But a friend of mine sum'd it all up pretty quickly. If you have nothing to hide, then it shouldn't bother you.

archie_t
archie_t

My organization uses credit bureaus to vet potential renters of our townhomes. Is this the type of "consumer reporting" agency the Red Flag is talking about? And so we then fall under the regulation? I don't mean to be dense here. Thanks!

gianni.sumtinelli
gianni.sumtinelli

The slow erosion of civil liberties has been accelerated through a concerted effort of this administration and now LAWS are on the books that circumvent those that our fathers and grandfathers fought for; (think Guantanamo) all brought about quite nicely through Cheney's orchestration of fear, intimidation and doubt. Airport security is window dressing covering serious loopholes but it give people a focal point for gripes or warm-fuzzies. "The price of freedom is eternal vigilance", but allowing a police state to evolve, without oversight, and completely putting your trust in 'leaders' not to abuse their position is, historically, a foolish, misguided mindset. Greenspan "trusted" the financial market not to abuse their position when derivatives were allowed to bloom (1999-present)-- vehemently fighting oversight for years. The result: today's financial meltdown, with our leaders insisting there was nothing wrong for over a year; the ex-workers with Nixon(Watergate)of Cheney and Rumsfeld convinced the country we were justified into going to war with Iraq, and "We the Sheeple" went along with it, congressional reservations countered with assurances of knowledgeable management of the matter until -- well you know where we are now. The Germans were in a severe financial depression, and who came along promising them a way out? A perfect example of how a society can be slowly 'convinced' by a madman that it's position is justified. You MUST know that it's the DATA that matters, CONTENT, and aggregate trending models. If you truly believe "If you have nothing to hide then it shouldn't bother you" then what you are really saying is "I trust ANYONE in ANY position of authority not to abuse that position". That's fundamentally what we were warned about by the founding fathers. In today's world, using the increasing knowledge OF man AGAINST man is the most powerful weapon available. Thanks for reading. Visit rants-r-us.org 8-)

hlhowell
hlhowell

Powers change, people change, but information in databases is forever. What you are comfortable sharing with George Bush, you might not want to share with Hillary Clinton. Or maybe you would be comfortable with Barack, but worry about Bush. Maybe you are Christian and worry about Muslims in positions of authority. What you may want to keep private (I dislike the word hide because it has connotations that don't really fit the case here), depends a great deal on who is seeking the information. You might tell your doctor about your warts and stuff, but would you want that in others hands and heads? Privacy provides for the anonymity that makes democracy work. Without it, you are in a socialist environment where the government can dictate what is yours, from the words on paper, to programs on your entertainment channels to all kinds of invasive stuff that is not really clear until you see it in action. Ask the nearest Vietnamese, or Israeli about privacy and its importance, or check out the things that happened with the Blacks in the 60's. Privacy is concurrent and concommitant with freedom. If you lose one, you will soon lose the other. And it is not just you. The flow of information becomes subjugated once someone has the power to overturn privacy of the purveyors of information services. Your kids become vulnerable to being taught only by those who meet the criteria of the powers that be in the school system, since those with differing viewpoints could find their private affairs being aired. EVERYONE either has or will have secrets in their lifetimes that deserve privacy. Think about the escess change a cashier gave you, the times you speed, when you took a reserved or restricted parking spot, who you hurt recently physically or emotionally. There are things big and small that each of us does daily that are crimes of omission or comission of time, pressure, peer pressure, circumstance and greed among other motivators, that can be used to manipulate us in ways good and bad. Who do you think should wield that power?

pgit
pgit

Ignore the ignorant... except for the willfully ignorant, avoid them like the plague.

gianni.sumtinelli
gianni.sumtinelli

In 1935 Sinclair Lewis wrote a book entitled 'It Can't Happen Here'. In it he stated "When facism comes to this country it will be wrapped in a flag and carrying a cross."

pgit
pgit

Believe it or not, some of us out here still have principles. Your friend has had his head flattened by relentless TV programming. Next year it's "I don't care if they come busting into my house at 3 AM, shoot all my pets and haul me and the wife naked into the street looking for, (put bogeyman here) because my wife and are not (put bogeyman here) Your friend belongs in Canada, East Germany, but not anywhere where some of s want to retain freedom. "The whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, all of them imaginary." ~H. L. Mencken

Editor's Picks