In 2003, Congress enacted the Fair and Accurate Credit Transactions Act to curtail the effects of identify theft by improving the accuracy and integrity of credit information maintained by organizations, giving every person the right to his or her credit report free of charge every year so it can be reviewed for unauthorized activity, helping prevent identity theft before it occurs by requiring businesses to leave all but the last five digits of a credit card number off store receipts, creating a national system of fraud detection to make the capture of identity thieves more likely; and requiring the implementation of an identity theft prevention program utilizing red flag indicators of identity theft that have been established based on the patterns of identity thieves.
Now the federal government is requiring certain creditors, including both private and public sector employers, to take steps to address the risks of the potential identity theft of an employer's customers. The rules were originally set to go into effect on Nov. 1, 2008, but the Federal Trade Commission recently extended the deadline for enforcement to May 1, 2009. Employers who are required to comply with the act must have what is referred to as an identity theft prevention program in place to help protect their customers from identity theft.
Many clients will ask: How do we know if we need to draft and implement an identity theft prevention program? The new regulations apply to "creditors" with "covered accounts." Creditor is defined as a person who regularly extends, renews or continues credit. "Person" is defined broadly to include corporations and governmental subdivisions or agencies. Creditors are required to establish policies and procedures to help prevent identity theft. This includes corporations and government agencies that defer payments for goods or services. A covered account is an account used mostly for personal, family or household purposes, and that involves deferred payments, or multiple payments or transactions. Deferring payments refers to postponing payments to a future date and/or installment payments on fines or costs. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts and savings accounts. A covered account also includes an account for which there is a foreseeable risk of identity theft, such as small business or sole proprietorship accounts. Thus, if your client provides services such as utilities on a deferred payment basis, then that client must have an identity theft prevention program in place.
Assuming your client qualifies as a creditor that maintains covered accounts, how do you know what is required to be in your client's new identity theft prevention program? The FACT Act added new provisions called the "Red Flags" Rules intended to help aid in the detection of identity theft, and serve as safeguards to protect consumers from becoming victims of identity theft. "Red Flags" must be part of your client's identity theft prevention program and are designed to serve as triggers or alerts that a consumer who has a covered account with your agency may be a victim of identity theft. The Red Flags Rules provide all covered employers the opportunity to design and implement an identity theft prevention program that is appropriate to their size and complexity, as well as the nature of their operations. In other words, not every employer is expected to have the same identity theft prevention program.
To comply with the new regulations, the identified red flags must be designed for the identification, detection and response to patterns, practices or specific activities that could indicate that identity theft has taken place against one of your client's customers. The rules and regulations state that red flags may include, for example, unusual account activity, fraud alerts on a consumer report, or the attempted use of suspicious account application documents. The Federal Trade Commission has identified 26 examples of red flags that can be incorporated into an employer's tailored identity theft prevention program where appropriate. The red flags identified in the rules and regulations are not a checklist, but rather are examples that employers can use as a starting point to drafting their custom-tailored identity theft prevention programs.
The 26 red flags identified by the commission fall into five broad categories. The first is where an employer receives some sort of alert, notification or warning from a consumer reporting agency, for example, an employer received a fraud alert that is included with a consumer report. The second type of red flag category is suspicious documents that are provided to an employer, for example, documents provided to an employer for purposes of identification that appear to be forged. The third category refers to suspicious personally identifying information that is provided to an employer, for example, a suspicious address is provided; or a Social Security number has not been provided to an employer; or the Social Security number provided is listed on the Social Security Administration's Death Master File. The fourth broad category of red flags is the unusual use of - or suspicious activity relating to - a covered account that is maintained by the employer, for example, there may be a material change in the purchasing or spending practices of a customer holding a covered account that is maintained by the employer. The last category of red flags is where the employer receives notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts maintained by the employer.
It is recognized that the red flags implemented will likely vary from employer to employer depending on the nature of the services and goods provided to customers. However, in drafting an identity theft prevention program, they must all include four basic elements: to enable an organization to identify relevant patterns, practices and specific forms of activity that are red flags signaling possible identity theft and incorporate those red flags into the program; to detect red flags that have been incorporated into the identity theft prevention program; to respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and to ensure the identity theft prevention program is updated periodically to reflect changes in risks from identity theft.
There are also certain steps that the employer must take to administer the identity theft prevention program: obtaining approval of the initial written identity theft prevention program by the board of directors, or if none, then by an appointed senior manager/employee; ensuring oversight of the development, implementation and administration of the identity theft prevention program; training staff on the identity theft prevention program; and overseeing outside service provider arrangements to ensure they comply with the employer's identity theft prevention program.
To ensure compliance with the new requirements, Federal Trade Commission regulators will be required to evaluate employers and their adherence to their new identity theft prevention programs. The commission will impose fines where the disregard of Red Flags has resulted in losses to consumers. The federal government has a pressing interest in preventing the type of identity theft that took place at UCLA in 2005 and 2006. The need to protect consumers from identity theft outweighs the economic burden the regulations place on employers. The actual economic impact of these new provisions on employers remains to be seen. But for local businesses and government agencies in California struggling to maintain their current level of goods and services in today's rough economic climate, developing and administering an identity theft prevention program will not be a minor task. In light of this, an employer should evaluate whether it is in fact required to comply with these new FACT Act requirements. If so, then the employer must have a specifically tailored identity theft prevention program implemented by May 1, 2009.
Morin I. Jacob is of counsel to Liebert Cassidy Whitmore in its San Francisco office. The firm specializes in public sector labor and employment law.
Reprinted and/or posted with the permission of Daily Journal Corp. (2008).