Effective August 1, 2009, businesses and organizations with consumer or other accounts at risk for identity theft must develop and implement an Identity Theft Prevention Program. They also need to heed identity theft “red flags.”
Who Must Comply
Covered entities include banks, credit unions and other financial institutions, any business or organization that regularly defers payments for goods or services, or bills the customer later. Examples include governments, health care providers, finance companies, automobile dealers, utility companies, and telecommunications companies. Nonprofit entities may also be covered. Accepting a credit card as a form of payment does not alone make a business covered.
Accounts Requiring Protection
If your organization is covered, you must take steps to protect customers’ accounts. These accounts are used mostly for personal, family or household purposes and involve multiple payments or transactions (e.g., credit card accounts, loans, utility accounts, and bank accounts) or any other account where there is a “foreseeable risk of identity theft;” for example, small business or sole proprietorship accounts.
Identity Theft Red Flags
Covered entities must implement a written Identity Theft Prevention Program. The program must be structured to prevent, detect and mitigate identity theft.
Common red flags include alerts, notifications and warnings from credit reporting companies, suspicious documents, suspicious personal identifying information, suspicious account activity and notices from other sources, e.g., the customer, law enforcement authority, etc.
Responding To Red Flags
Once a red flag is spotted, the business must respond appropriately, including notifying the customer, changing passwords, closing the account, monitoring future activity, notifying law enforcement, and other actions. Other state and federal laws provide additional requirements.
The program must be approved by the company’s board of directors or appropriate board committee. If the business does not have a board, senior management must approve the program. The board must also oversee, develop, implement and administer the program, and staff must be trained.
Further information can be found at the FTC website: www.ftc.org/redflagsrule