GSCFM 2014GSCFM 2014 11
GRADUATE SCHOOL OF CREDIT GRADUATE SCHOOL OF CREDIT AND FINANCIAL MANAGEMENTAND FINANCIAL MANAGEMENT
Wanda Borges, Esq.
Borges & Associates, LLC
575 Underhill Blvd.
Syosset, NY 11791
516-677-8200 x 225
GSCFM 2014GSCFM 2014 22
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
Increased concern over identity theft
Increased risks of money laundering
Risks of computerized data breach
GSCFM 2014GSCFM 2014 33
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
STATUTESSTATUTES
GRAMM-LEACH BLILEY – 1999 Among the first of its kind NotNot applicable to commercial business
transactions Protect consumers’ nonpublic personal
information from foreseeable threats in security and data integrity.
Nevertheless – set the standard for Safeguards
GSCFM 2014GSCFM 2014 44
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
STATUTESSTATUTES GLB’s Safeguard Rule
Ensure security and confidentiality of customer information
Protect against anticipated threats or hazards to security or integrity of such information
Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the customer
PRIVACY ISSUESIDENTITY THEFT PREVENTION
STATUTES USA PATRIOT ACT – 2001
“Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”
Passed into law – October 26, 2001 After the 9/11 attacks
Primary Focus: Deter and Punish Terrorist Acts [Anti-terrorism] Enhance Law Enforcement Investigatory Tools
GSCFM 2014 5
PRIVACY ISSUESIDENTITY THEFT PREVENTION
STATUTES USA PATRIOT IMPROVEMENT AND
REAUTHORIZATION ACTION OF 2005 Together these Acts commonly referred to as The USA
PATRIOT ACT Section 326 – Anti Money-laundering section
Requires Financial Institutions to set up and maintain Customer Identification Programs (CIP’s)
GSCFM 2014 6
PROTECTING PERSONAL INFORMATION
FEDERAL TRADE COMMISSION Issued “A Guide for Business”
Premise – Companies keep sensitive personal information on files
Names, Social Security Numbers, credit card or other account data necessary to:
Fill orders Meet payroll Perform other necessary business functions
GSCFM 2014 7
DATA SECURITY PLAN
Take stock of what personal information is maintained in files and on computers
Keep only what is necessary for business operations
Lock and protect kept information Properly dispose of what you no longer need Create a plan to respond to security incidents
GSCFM 2014 8
DATA SECURITY PLAN
Keep only what is necessary for business operations If you really don’t need it, don’t’ keep it Electronically printed credit and debit card receipts
must be shortened or truncated Check and change, if necessary, any default settings on
software (that may keep information indefinitely) Develop a written records retention policy
GSCFM 2014 9
DATA SECURITY PLAN
Lock and protect kept information Physical security Electronic security Employee training Security practices of:
Contractors Service providers
GSCFM 2014 10
DATA SECURITY PLAN
Properly dispose of what you no longer need Wipe computers clean of old data when disposing of
computer FACT Act Disposal Rule
Burn Pulverize Shred
GSCFM 2014 11
DATA SECURITY PLAN
Create a plan to respond to security incidents Have a Plan in place to respond to security incidents Designate a senior member of staff to coordinate and
implement response plan If computer has been compromised, disconnect it
immediately from Server and/or Internet Investigate Security incidents immediately Take steps to thwart vulnerabilities and threats Consider whom to notify in the event of a security
incident
GSCFM 2014 12
1313
PRIVACY ISSUESIDENTITY THEFT PREVENTION
STATUTES
GENERAL INFORMATION
Whenever the word “person” is used, “person” includes: corporation, limited liability company, partnership, limited liability partnership and most other artificial entities
GSCFM 2014
GSCFM 2014GSCFM 2014 1414
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness
CALIFORNIA Various bills 2003, 2005, 2006 Strictest disclosure and security procedure requirements in
the country Borrowed standards from GLB & HIPAA Not limited to records located in California
GSCFM 2014GSCFM 2014 1515
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness CALIFORNIA Three requirements on businesses:
Notify California residents when security of personal information has been compromised
Notify California residents when information is shared with a third party
Maintain reasonable security procedures to protect personal information
GSCFM 2014GSCFM 2014 1616
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness
INDIANA (since 2006) Regulates ANY company which owns or uses personal
information of Indiana residents for commercial purposes regardless of whether the company otherwise is doing business in Indiana
GSCFM 2014GSCFM 2014 1717
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness INDIANA Develop and implement security procedures Protect individuals’ non-public personal information If a breach occurs, report the event to the
consumer, state agencies and national credit reporting agencies
GSCFM 2014GSCFM 2014 1818
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness INDIANA – Recommended Program
Designate an employee to coordinate Identify reasonably foreseeable internal and external risks to
security Assure contractors are capable of maintaining appropriate
safeguards Continually evaluate to reflect new circumstances Provide consumer notification plans in case of inadvertent data-
security breach
GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness
MASSACHUSETTS – 2007 but compliance mandatory 2010 Applicable to all “who own, license, store or maintain
personal information about a resident of the Commonwealth of Massachusetts.”
NOT NOT limited to records located within the Commonwealth.
19
GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness MASSACHUSETTS – WISP [Written
Information Security Program] Ensure the security and confidentiality of personal
information; Protect against any anticipated threats or hazards to
the security or integrity of such information Protect against unauthorized access to or use of such
information in a manner that creates a substantial risk of identity theft or fraud.
20
GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness MASSACHUSETTS – cont’d
201 CMR 17.00 Compliance Checklist can be found at:
http://www.mass.gov/ocabr/docs/idtheft/compliance-http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf checklist.pdf
21
GSCFM 2014GSCFM 2014 2222
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness Missouri Personal Information Data Privacy
Notification and Encryption Laws: Section 407.1500 (2009) Any person that owns or licenses personal
information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach.
2323
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness NEW YORK
GENERAL BUSINESS LAW §899-aa
STATE TECHNOLOGY LAW §208
Effective December 2005
GSCFM 2014
2424
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness NEW YORK Definition of Personal Information (Private
information) An individual’s first name or first initial and last
name linked with any one or more of the following data elements, when either the personal information or data element is not encrypted or encrypted with an encryption key that has also been acquired
GSCFM 2014
2525
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness NEW YORK DATA ELEMENTS
Social security number Driver’s license number or non-driver identification
card number Account number, credit or debit card number, in
combination with any required security code, access code, or password that would permit access to an individual’s financial account
GSCFM 2014
2626
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness NEW YORK APPLICABLE TO:
Any person or business which conducts business in New York State, and which owns or licenses computerized data which includes private information
GSCFM 2014
2727
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness NEW YORK REQUIREMENTS:
Disclose any breach of the security of the system following discovery or notification of the breach in the security of the system
Notify any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.
Notify as expeditiously as possible and without unreasonable delay Consistent with the legitimate needs of law enforcement Consistent with any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the system
GSCFM 2014
2828
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness
TEXAS BUSINESS & COMMERCIAL CODE ANNOTATED §521.053
EFFECTIVE DATE: September 1, 2005
GSCFM 2014
2929
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness TEXAS DEFINITION OF PERSONAL
INFORMATION: Information that alone or in conjunction with other information
identifies an individual, including an individual’s: Name, social security number, date of birth, or government-
issued identification number; Mother’s maiden name; Unique biometric data, including fingerprint, voice print, and
retina or iris image Unique electronic identification number, address, or routing
code; and Telecommunication access device as defined by Section 32.51
Penal Code
GSCFM 2014
3030
PRIVACY ISSUESIDENTITY THEFT PREVENTION
State Statutes’ Awareness TEXAS SUMMARY:
A person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of Texas whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made as quickly as possible, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
GSCFM 2014
GSCFM 2014GSCFM 2014 3131
PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION
State Statutes’ AwarenessState Statutes’ Awareness
TEXAS implement and maintain reasonable procedures, to
protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
destroy records not to be retained by: shredding, erasing; or making information unreadable or indecipherable through any means.
GSCFM 2014GSCFM 2014 3232
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
Enacted 2007
Enforcement Began January 1, 2011
Picks up where data security leaves off
GSCFM 2014GSCFM 2014 3333
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
Seeks to prevent identity theft by ensuring that you and your customer are on the lookout for crooks who might obtain and use someone else’s information
Applicable to: Financial Institutions Creditors with “covered accounts”
GSCFM 2014GSCFM 2014 3434
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
The definition of “creditor” under the “Red Flags” Rule is broad
A trade creditor may be includedRed Flag Program Clarification Act of 2010
has clarified when a trade creditor is or is not a “creditor” under the Red Flags Rule
GSCFM 2014GSCFM 2014 3535
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAG PROGRAM RED FLAG PROGRAM
CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Limits applicability of the “Red Flags”
Rules to a creditor (including a trade creditor) as defined in the Equal Credit Opportunity Act that regularly, and in the ordinary course of
business
GSCFM 2014GSCFM 2014 3636
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAG PROGRAM RED FLAG PROGRAM
CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Cont’d.Cont’d.
Obtains or uses consumer reports in connection with a credit transaction,
Furnishes information to consumer reporting agencies in connection with a credit transaction, or
Advances funds to or on behalf of a person based on that person’s obligation to repay the funds or repayable from specific property pledged by or on behalf of that person
GSCFM 2014GSCFM 2014 3737
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAG PROGRAM RED FLAG PROGRAM
CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Cont’d.Cont’d.
Advances funds refers to money, rather than goods or services
This category of “creditors” applies only to entities making loans.
GSCFM 2014GSCFM 2014 3838
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAG PROGRAM RED FLAG PROGRAM
CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Cont’d.Cont’d.
A Trade creditor is included which Relies on an individual credit report in making credit
decisions Whether the report is on the principal of a small
business Or on a personal guarantor Or on a non-corporate entity
GSCFM 2014GSCFM 2014 3939
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAG PROGRAM RED FLAG PROGRAM
CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Cont’d.Cont’d.
A Trade creditor is NOT included which Only deals with established corporate entities Does not rely on personal consumer credit reports Does not furnish information to consumer reporting
agencies Does not make loans to individuals
GSCFM 2014GSCFM 2014 4040
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
“Covered Account” includes: any account that a creditor (or financial
institution) offers or maintains for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the creditor or financial institution.
Consumer Accounts for personal, family or household use.
GSCFM 2014GSCFM 2014 4141
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
Risk Assessment Business must first assess the level of risk
Creditors dealing with small businesses and personal guarantors have a high risk level
Creditors dealing only with large corporate customers and no personal guarantors do not have to comply with the Red Flags Rules
Written “Red Flags” Program must be developed, administered and updated.
GSCFM 2014GSCFM 2014 4242
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
Identify the “red flags” which will alert your business to a problem
A Red Flag is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft, e.g.:
A customer using a credit card for payment and does not have the proper identity code
A customer ordering an unusual quantity or type of produce
A customer requesting delivery to a new or unusual location
GSCFM 2014GSCFM 2014 4343
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
Detect the “red flags” Verify any new or unusual locations Contact customer personally if any
information or request seems unusual] Verify customer even exists which is using a
cell phone only Verify an email account if it appears generic Confirm that the business or person you are
dealing with really exists
GSCFM 2014GSCFM 2014 4444
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
Respond to “red flags” Once you have identified your “red flags” and
have detected them, your program should set forth a procedure for how you are going to deal with them.
Response may be as simple as contacting the customer for further verification; or
Response could include notifying law enforcement officers
GSCFM 2014GSCFM 2014 4545
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary If you are a creditor as defined above,
then Administer and Update your “Red Flags”
program Proper training of all personnel is required Periodic review of your “Red Flags” program is
required Board of Directors must write and administer the
“Red Flags” Program – or A Senior Executive (e.g. credit manager) may be
designated as the responsible person to write and administer the program.
GSCFM 2014GSCFM 2014 4646
FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE
in Summaryin Summary
If you are NOT a creditor as defined above, then
If your company sells on a purely B2B basis
Your company does NOT have to comply with the “Red Flags” Rules