Private Information Protection
Laws & Requirements  
HOME        OUR PROFILE         SERVICES         FREE SECURITY ANALYSIS         TESTIMONIALS          ORDER & CONTACT US


FACTA Law Enacted December 4, 2003
The Fair and Accurate Credit Transactions Act was enacted to prevent consumer identity theft and fraud. For more information on the original Fair and Accurate Credit Transactions Act (FACTA).

                                       FACTA Disposal Rule Enacted June 1, 2006
This legislation requires organizations to protect against unauthorized  access to private information and to properly dispose of private information. When private information is no longer useful for doing business with the consumer, that information must be shredded and destroyed, pulverized, or burned. Some of the private consumer information is to be protected is name, address and phone number, email address, Social Security number, and drivers license number.

                                          RED FLAG RULE Enacted Oct. 31, 2007
Final legislation of this amendment to FACTA was passed on October 31, 2007, but compliance with this rule was moved three times and reset for 2009.The FACTA Red Flag Rule requires all organizations and businesses to develop and maintain a plan to “red flag” any activities that could indicate an attempt to, or actual theft of consumer identify and report such cases. The Federal Trade Commission will enforce the law and prosecution of  companies and employees could ensue if employees fail to detect and report “red flags” and take other mandated steps to prevent identity theft.   (see more information below)

                                                     HIPAA Law Enacted 1996
The Health Insurance Portability and Accountability Act  stipulates all health care providers (from individuals to large providers) must maintain safeguards to prevent disclosure of protected consumer health information. Expansion of HIPAA coverage now includes business associates, and requires notifications if a security breach occurs, private health information is released inappropriately, and expands who may seek damages as well as increases penalties for violations.

                              GLBA Law Enacted 1999 (The Gramm-Leach-Bliley Act)

Also known as the Financial Services Modernization Act  stipulates all financial institutions are required to protect consumer information and develop privacy notices. July 1,2001 GLBA is amended to also require the implementation of  security plans, or programs to protect private consumer information


  MORE DETAIL ON THE RED FLAG RULE

Identity thieves use private information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses. Almost all businesses and organizations will soon be required to implement a program to detect, prevent, and mitigate instances of identity theft.

The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Who must comply with the Red Flags Rules?

The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

Complying with the Red Flags Rules

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

How flexible are the Red Flags Rules?

The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. Guidelines issued by the FTC, the federal banking agencies, and the NCUA (ftc.gov/opa/2007/10/redflag.shtm) should be helpful in assisting covered entities in designing their programs. A supplement to the Guidelines identifies 26 possible red flags.