The Federal Trade Commission (FTC) has set a compliance date later in the year for an additional rule (the Red Flag Rule) to its already existing FACT Act (FACTA), that will broadly affect all business that maintain personal information on individuals – from banking institutions to nanny hiring services. So what does this mean to you, the lawyer or the firm?
Well, that’s the exact focus of this article. We will dissect how the FACTA Red Flag Rule can potentially affect your business by giving you clear cut definitions of the Act, the new rule, what it means to your business and how to achieve and maintain compliance so that you may ensure the growth of your business by protecting it’s most valuable asset – that of its client and employee information.
Q.1: What is the FACTA?
FACTA stands for Fair and Accurate Credit Transaction Act. FACTA is the 2003 law designed to reduce risks of consumer fraud and identity theft opportunities that may be created by improper storage and disposal of client information. This includes any storage method that contains personal information, whether it’s on paper, CDs, DVDs, discs, or hard drives. Client information can be any combination of personal data such as names, dates of birth, addresses, driver licenses and Social Security numbers.
Initially meant to protect consumers, FACTA was extended to provide protection for employees. On June 1, 2005, a new portion of the FACTA law went into effect. It states that you, the employer (even if you have only one employee, and it is your mother-in-law’s cousin by marriage, and you only have his or her personal information so that you can pay social security taxes,) can be fined by federal and state government, and even sued in civil court if any of this information is somehow released and used in an identity theft scam.
So, we’ve arrived at you, the employer, are now legally responsible for maintaining the confidentiality of any and all client and employee information that can be used in any identify theft/fraud situation.
Q. 2 What is the FACTA Red Flag Rule?
The Federal Trade Commission’s (FTC) review of the FACTA law led to the FTC’s decision to specify the type of suspicious activity that business owners should be aware of, that should send up a “red flag”, alerting them to identity theft attempts by potential clients or employees. This led to the FACTA Red Flag rule that went into effect on January 1, 2008.
Basically, the final Red Flag rules and guidelines implemented call out 5 categories of Red Flags which illustrate the types of activities that need to be identified:
- alerts, notifications or warnings from a Consumer Reporting Agency (such as Equifax, Experian or TransUnion)
- suspicious documents (e.g. photocopies of driver’s licenses instead of the originals)
- suspicious personal identifying information (misspelled names, differing birth dates, p.o. boxes… )
- unusual use of, or suspicious activity related to, the covered account (heavy usage or repeated process denial)
- notice from other clients, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. (This is the ultimate red flag. If you are contacted by anyone claiming to be a victim of identity theft, immediately contact your local law enforcement department and turn the matter over to them.)
Q. 3 Okay, I understand the new FACTA Red Flag rules. What does that mean to mean to my firm?
The new FACTA Red Flag Rules mean you need to make sure your client and employee personal identifying information is a) accurate (to the best of your knowledge) and we will broaden that definition in Q. 4 below) and b) secure (answered in Q.5).
Q. 4 How do I ensure that my client and employee information is as accurate as needed for me to be in compliance with FACTA’s Red Flag rules?
(This needs to be prefaced with the advisory that we are not lawyers, nor do we play any on T.V. If you have legal questions regarding this subject matter, please contact a knowledgeable attorney in your area.)
But in an effort to be helpful, we offer some common sense tips. To do so, we’re going to break this answer into two parts – ensuring your employee is who they say they are and then ensuring they understand and enforce the compliance procedure.
You need to designate trusted employees to obtain and maintain your clients’ personal information. Run a background check on all employees and make sure they have proper identification (such as a government issued photo i.d.) and check references. Always check references. Don’t just call phone numbers that are provided to you on the application form. Check that those businesses actually exist – are they listed in a directory?
New Client Registration:
Second, have a policy sheet (it can be a one pager) available to your staff regarding the types of identifications that are required and accepted for new clients. If there is any doubt about the i.d. being presented, err in favor of compliance and diplomatically advise the client that your business can only accept i.d. that complies with government regulations as this is, in essence, a financial transaction.
Q. 5 My employee passed her background check with flying colors and all of my clients have verified identification. How do I secure all of this information?
Okay, now that your trusted employee is collecting personal information from your clients, have them follow strict procedures for obtaining and securing the information. Several suggestions:
To secure employee information:
- Assign access to personal employee data to specific management members.
- Issue unique user names and passwords to these managers.
- Scan all paper documents and store the paper documents in break-in proof containers/file cabinets or offsite.
- Maintain a secure and separate office area (or at least a large and heavy safe) in the case of a break-in.
To secure client information:
1. Have a separate interview area where a potential client can fill out formsor answer questions in private.
2. When your designated staff member is inputting this data into your business’ database, have the monitors positioned so that they are not viewable by anyone aside from your employee. (Preferably, this should be done in a separate Employees Only area.)
3. Deposit all checks and credit/debit/check card receipts into a safe several times a day if necessary.
4. Limit access to the safe.
5. Apply the same access limits as you do for employee information.
6. Be aware of the length of time you must maintain old employee or client files securely. Beyond that point, shred old information files; delete old pc files. The employee or client may be gone from your establishment but they are probably still around somewhere. You don’t need to inadvertently let others have their information even if it is no longer of any use to your business.
Q. 6 When do the FACTA Red Flag Rules go into effect? And when is the compliance date?
FACTA Red Flag rules went into effect January 1, 2008 and compliance must be met by November 1, 2008.
On a final note, establishing written personal information storage policies for employee and client data is the first step in secure data management. Should a personal information breach then occur, it would be recognized that considerable aforethought was given to data security. Then follow through with tightening the physical security of your client and employee information. Identity theft has by far replaced any outright robbery crimes in this nation. Be careful, be alert, be aware. It is, literally, your business.
BNI Investigators: Street smart: Net savvy.
Filed under: background checks, client, criminal, employee, facta, identity theft, law firms | Leave a Comment »