Affirmative Defense Reponse System

Affirmative Defense Response SystemAffirmative Defense Response System(A D R S)(A D R S)

MINIMIZE MY RISKMINIMIZE MY RISK

The Problem of Identity Theft♦ What identity theft is in realityWhat identity theft is in reality♦ Laws related to identity theft affectingLaws related to identity theft affecting

employers, executives and business ownersemployers, executives and business owners

Better Answers to Solve The Problem♦ Layered protectionLayered protection♦ Identity theft program and trainingIdentity theft program and training♦ Implementing reasonable steps at little or no cost Implementing reasonable steps at little or no cost

lowering my risk and minimizing my exposurelowering my risk and minimizing my exposure

Today’s Topics

““A rise in identity theft is presenting A rise in identity theft is presenting employers with a major headache: employers with a major headache: They are being held liable for identity They are being held liable for identity theft that occurs in the workplace.”theft that occurs in the workplace.”

Who Is Being Held Responsible?

Douglas Hottle, Meyer, Unkovic & Scott, “Workplace Identity Theft: How to Curb an HR Headache”

BLR: Business and Legal Reports, September 19, 2006

““With the With the workplace being the site of more workplace being the site of more than halfthan half of all identity thefts, HR executives of all identity thefts, HR executives must must ‘stop thinking about data protection as ‘stop thinking about data protection as solely an IT responsibility,’solely an IT responsibility,’ says one expert. says one expert.

Identity Theft Prevalent at Work

“ID Thefts Prevalent at Work”, Human Resource Executive, April 5, 2007

More educationMore education on appropriate on appropriate handlinghandling and and protection of informationprotection of information is necessary, is necessary, among other efforts.”among other efforts.”

Drivers License Identity Theft

MedicalIdentity Theft

Financial Identity Theft

ID Theft is an international crime andID Theft is an international crime and Access to an AttorneyAccess to an Attorney

may be critical!may be critical!

Social Security Identity Theft

Character/Criminal Identity Theft

Five Common Types of Identity Theft

28%

Identity Theft is not just about Credit Cards!

Your Name1000’s of aggregators

FingerprintsDNAFBI, State, Local DBS

Insurance ClaimsC.L.U.E. DBS, etc

Military RecordDOD DBS

Criminal HistoryNCIC DBS

Real Estate DeedsClerks of Court DBS

Legal HistoryState, Fed. Court DBS

Credit HistoryCredit Repositories’ DBS

Birth CertificateChoice Pt. DBS, State, etc

Phone Number & Tracking Info1000’s of aggregators

Social SecuritySSA DBS

Address1000’s of DBS

Why I Am At Risk

Driver’s License, Record DMV DBS

Medical RecordsMIB DBS, etc

Car Registration & InfoDMV, Local Treasurer, OnStar, etc

The DataBased The DataBased YouYou

tm

Correcting the victims’ records is so overwhelming Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data.it is imperative for businesses to protect the data.

Where the Law Becomes Logical

“Once the credit systems accept bad data it can be next to impossible to clear. ” USAToday June 5, 2007

“Medical identity theft can impair your health and finances . . . and detecting this isn’t easy . . . and remedying the damages can be difficult.” Wall Street Journal October 11, 2007

TM

The Cost to Businesses

♦ Employees can take up to 600 hoursEmployees can take up to 600 hours, mainly during business hours, to restore their identities

♦ “If you experience a security breach, 20% of your 20% of your affected customer base will no longer do business affected customer base will no longer do business with you,with you,

♦ “When it comes to cleaning up this mess, companies on average spend 1,600 work hours1,600 work hours per incident at a cost of $40,000 to $92,000$40,000 to $92,000 per victim.”*

*CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

40% will consider ending the relationship, 40% will consider ending the relationship, and 5% will be hiring lawyers!”*and 5% will be hiring lawyers!”*

Why should ALLALL businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about . . .

Identity Theft, Identity Theft, FACTA-Red Flag Rules, FACTA-Red Flag Rules, GLB Safeguard Rules, GLB Safeguard Rules, and State Legislation?and State Legislation?

Ask Myself This Question

Answer: Liability, both civil and criminalAnswer: Liability, both civil and criminal

♦ FACTA and FACTA Red Flag RulesFACTA and FACTA Red Flag Rules

♦ Fair Credit Reporting ActFair Credit Reporting Act

♦ Gramm, Leach, Bliley Safeguard Gramm, Leach, Bliley Safeguard RulesRules

♦ Individual State LawsIndividual State Laws

Important Legislation

Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

Employee or Customer information lost under the wrong set of circumstances may cost my company: Federal and State Fines of $2500 per occurrenceFederal and State Fines of $2500 per occurrence Civil Liability of $1000 per occurrenceCivil Liability of $1000 per occurrence Class action Lawsuits with no statutory limitationClass action Lawsuits with no statutory limitation Responsible for actual losses of Individual ($92,893 Avg.)Responsible for actual losses of Individual ($92,893 Avg.)


Fair & Accurate Transaction Act (FACTA)

Applies to every business and individual who Applies to every business and individual who maintains, or otherwise possesses, consumer maintains, or otherwise possesses, consumer information for a business purpose information for a business purpose

*

and requires and requires businesses to develop and implement a written businesses to develop and implement a written privacy and security program.privacy and security program.

♦ Must develop & implement a written privacy & security program. Must develop & implement a written privacy & security program.

♦ Must obtain approval of the initial written program from either itsMust obtain approval of the initial written program from either its board of directors or an appropriate committee of the board.board of directors or an appropriate committee of the board.

♦ A business with no board of directors must have a designated A business with no board of directors must have a designated employee at senior management level. Small businesses are notemployee at senior management level. Small businesses are not exempt.exempt.

♦ The oversight, development, implementation & administration ofThe oversight, development, implementation & administration of the program must be performed by a senior management levelthe program must be performed by a senior management level employee. employee.


Red Flag Rules (FACTA) Red Flag Rules became effective in January 2008, Red Flag Rules became effective in January 2008, compliance is required by November 2008. Under these compliance is required by November 2008. Under these rules, covered accounts, creditors and businesses:rules, covered accounts, creditors and businesses:

♦ Liability follows the data.Liability follows the data.♦ A covered entity cannot escape its obligation to comply byA covered entity cannot escape its obligation to comply by outsourcing an activity. Businesses must exercise appropriateoutsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements.and effective oversight of service provider arrangements.♦ Service providers and contractors must comply by implementing Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, preventreasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.and mitigate the risk of identity theft.♦ Contractors with whom the covered accounts exchange PII Contractors with whom the covered accounts exchange PII (Personal Identity Information) are required to comply and(Personal Identity Information) are required to comply and have reasonable policies and procedures in place to protect have reasonable policies and procedures in place to protect the information.the information. Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

Red Flag Rules (FACTA)

Covered accounts, creditors & businesses must ensure Covered accounts, creditors & businesses must ensure their service providers & subcontractors comply & have their service providers & subcontractors comply & have reasonable policies & procedures in place reasonable policies & procedures in place . . .. . . rulesrules statestate: :

If an employer obtains, requests or utilizes If an employer obtains, requests or utilizes consumer reports or investigative consumer reports or investigative consumer reports for hiring purposes consumer reports for hiring purposes and/or background screening, then the and/or background screening, then the employer is subject to employer is subject to FCRAFCRA requirements. requirements.

www.ftc.gov/os/statutes/031224fcra.pdf

Fair Credit Reporting Act (FCRA)


http://www.ftc.gov/os/statutes/031224fcra.pdf

Gramm, Leach, Bliley Safeguard Rules


Eight Federal Agencies & any State can enforce this law

Applies to Any Organization that Maintains Applies to Any Organization that Maintains Personal Financial Information Regarding It’s Personal Financial Information Regarding It’s Clients or CustomersClients or CustomersNon Public Information (NPI) lost under the wrong set of circumstances may result in:

Fines up to $1,000,000 per occurrenceFines up to $1,000,000 per occurrence Up to 10 Years Jail Time for ExecutivesUp to 10 Years Jail Time for Executives Removal of managementRemoval of management Executives within an organization can be heldExecutives within an organization can be held accountable for non-compliance both civilly &accountable for non-compliance both civilly & criminallycriminally

These laws apply to any organization including:


Privacy and Security Laws

Financial Institutions* Financial Institutions* SchoolsSchools Credit Card Firms Credit Card Firms Insurance Companies Insurance Companies Lenders Lenders

Brokers Brokers Car Dealers Car Dealers Accountants Accountants Financial PlannersFinancial Planners Real Estate AgentsReal Estate Agents

*The FTC categorizes an impressive list of *The FTC categorizes an impressive list of businesses as “FI” and these so-called “non-bank” businesses as “FI” and these so-called “non-bank” businesses comprise a huge array of firms that businesses comprise a huge array of firms that may be unaware they are subject to GLB.may be unaware they are subject to GLB.

Privacy and Security Laws


Require businesses to:

Appoint an Information Security OfficerAppoint an Information Security Officer

Develop a written policy to protect NPIDevelop a written policy to protect NPI

Hold Mandatory Training for all employeesHold Mandatory Training for all employees

Oversee service provider arrangementsOversee service provider arrangements

FTC publication emphasizes that companies should:

Protecting Personal Information A Guide For Business

““Make sure training includes employees Make sure training includes employees at satellite offices, temporary help, and at satellite offices, temporary help, and seasonal workers.”seasonal workers.” (pg 17)

““Ask every employee to sign anAsk every employee to sign an agreement to follow company’sagreement to follow company’s confidentiality and security standardsconfidentiality and security standards for handling sensitive data”for handling sensitive data” (pg 16)

““Create a culture of securityCreate a culture of security implementing a regular schedule ofimplementing a regular schedule of employee training”employee training” (pg 17)

““Before outsourcing any of Before outsourcing any of your business functions – your business functions – payroll, web hosting, customer payroll, web hosting, customer call center operations, data call center operations, data processing, or the like – processing, or the like – investigate the company’s data investigate the company’s data security practices . . .security practices . . . ” (pg 19)

Protecting Personal Information A Guide For Business

Your liability follows your data . . . Your liability follows your data . . .

ABA JournalMarch 2006

Betsy Broder: “The FTC will act against companies that don’t protect customers’ data.”

“Stolen Lives” ABA JournalMarch 2006

“Broder says she understands that most small businesses cannot . . . hire a full-time . . . specialist, but . . . all businesses must be able to show they have a must be able to show they have a security security planplan in place. in place.

‘‘We’re not looking for a perfect system We’re not looking for a perfect system . . . but we need to see that you’ve. . . but we need to see that you’ve taken taken reasonable steps reasonable steps to protect your to protect your customers’ information.’”customers’ information.’”

“Stolen Lives” ABA JournalMarch 2006

Law Firms Are Looking for Victims

Law Firms Are Looking for Victims

“Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”

Law Firms Are Looking for Victims “Do you suspect that a large

corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company.

Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.”

How Pre-Paid Legal Helps Me . . .

♦ Sets up reasonable steps toSets up reasonable steps to protect non-public information (NPI) & personally identifiable information (PII)

♦ Helps create aHelps create a “Culture of Security”

♦ Sets up a potentialSets up a potential Affirmative Defense

♦ Helps protect employees and customers Helps protect employees and customers while potentially decreasing my company exposure

PPL starts the compliance process for my Company PPL starts the compliance process for my Company by providing templates for theby providing templates for the appointment of the appointment of the security officersecurity officer & written ID Theft security plan.& written ID Theft security plan.

To assist my company with compliance issues an To assist my company with compliance issues an authorized ADRS specialist will conduct a training authorized ADRS specialist will conduct a training required by law for my employees. They’ll explain required by law for my employees. They’ll explain the different types of ID Theft and show my the different types of ID Theft and show my employees how they can protect themselves if they employees how they can protect themselves if they become a victim and why their and my customers’ become a victim and why their and my customers’ personal information needs to be protected.personal information needs to be protected.

PPL does all this atPPL does all this at no direct cost to my companyno direct cost to my company..

Affirmative Defense Response System

1. Appointment of Security Compliance Officer May 1, 2008[insert employee designee]

RE: Appointment of Security

Compliance OfficerDear [employee]:

As part of [Company’s]

comprehensive information

security program, we are pleased

to appoint you as Security Officer.

].

Sincerely, [Company] Chief Executive Officer

Stays in Company Files . . .Stays in Company Files . . .

2. ID Theft Plan and Sensitive and Non-Public Information Policy

SENSITIVE INFORMATION

POLICY & IDENTITY

THEFT PREVENTION PROGRAM

1. BACKGROUNDThe risk to the company, its employees and

customers from data loss and identity

1. PurposeThe company adopts this policy to help protect

employees, customers, contractors and the

company from damages related to loss or misuse

of sensitive information. This policy will:

§Define sensitive information

§Describe the physical security of data

when it is §Describe the electronic security of data

when s


POLICY & IDENTITY











when s


POLICY & IDENTITY











when s

Every Employee Gets a CopyEvery Employee Gets a Copy

3. Privacy and Security LetterTo All Employees/Agents

[Company Name] RE: MANDATORY

EMPLOYEE MEETING

PRIVACY & SECURITY

COMPLIANCE PROGRAM

& IDENTITY THEFT

TRAININGMay 10, 2008On , in the Conference Room, [Company]

will host a mandatory employee meeting and training

session on identity theft and privacy compliance.

Additionally, as an employee, you will be provided an

opportunity to purchase an identity theft product.

As you know, [Company] makes every effort to comply

with all Federal Trade Commission guidelines to protect

personal employee

Sincerely,[Name][Company]Owner

Mailed to All Employees, Mailed to All Employees, With a Copy in File . . .With a Copy in File . . .

IdentityMonitoringServices

Life EventsLegal Plan &Legal Shield

Identity Restoration Services

Me

4. May Reduce Company LossesIn the event of a data breach, this may help mitigate potential lossesmitigate potential losses for my company. PPL’s program may reduce my exposureto litigation, potential fines, fees and lawsuits.

* Subject To Terms And Conditions

PPL PPL will train on will train on privacy and privacy and security lawssecurity laws and offer my employees a payroll deduction benefit that includes:




Me

4. May Reduce Company Losses

Credit MonitoringCredit Monitoring

Access to Legal CounselAccess to Legal Counsel

and

Full RestorationFull Restoration





Me

4. May Reduce Company Losses

This means employees who participate in this program may reduce my company’s exposures.reduce my company’s exposures.The majority of the time restoringan employee’s identity is covered by the memberships and not done on not done on company time &/orcompany time &/orcompany expense.company expense. Also, use of PPL’s Life Events Legal Plan provides help* that addresses related issues.


If a number of my employees are notified of If a number of my employees are notified of improper usage of their identities, this may act as improper usage of their identities, this may act as an early warning system to my company of a an early warning system to my company of a possible internal breach possible internal breach which could further reduce which could further reduce my losses.my losses.

5. Potential Early Warning System

BLR says this “Provides an Affirmative Defense for the company.”

6. May Provide an Affirmative Defense

““One solution that provides an affirmative defense against One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. identity theft protection as an employee benefit.

Business and Legal Reports January 19, 2006

An employer can choose whether or not to pay for this benefit. An employer can choose whether or not to pay for this benefit. The key isThe key is to make the protection available, and have a to make the protection available, and have a employee meeting on identity theft and the protection you are employee meeting on identity theft and the protection you are making available, similar to what most employers do for health making available, similar to what most employers do for health insurance . . . Greg Roderick, CEO of Frontier Management, insurance . . . Greg Roderick, CEO of Frontier Management, says that his employees "feel like the company's valuing them says that his employees "feel like the company's valuing them more, and it's very personal."more, and it's very personal."

Identity Theft Protection and

Legal Service

(Proof of offer of a Mitigation Plan)

•As an employee of _______________________ located in

____________________, acknowledge that a Pre-Paid Legal

Services, Inc., independent sales associate made available to me the

Identity Theft Shield and a Pre-Paid Legal Services, Inc.

membership.•Identity Theft Shield:–Initial credit report and guide on how to

read the report–

Continuous credit monitoring

–Identity restoration in the event of a

theft •Life Events Legal Plan: –

Preventive legal services provided

through a network of independent

provider attorney law firms in each

state and province–

Phone Consultation with

Attorneys/Review of Documents/Phone

Calls and Letters for any legal matter

and issues regarding identity theft

including concerns regarding my: 1)

drivers license, 2) medical information,

3) social security number, 4)

character/criminal identity, and 5) my

credit identity and information

esentation

Opt-in/out Sheet in Employees’ FileOpt-in/out Sheet in Employees’ File

7. Provides Proof I Offered A Mitigation Plan to My Employees

8. Mitigating Damages

To potentially protect To potentially protect myself, I should have all myself, I should have all employees sign this employees sign this document . . .document . . .

Be Sure To Check With Your Attorney Before Using A Form Such As This

Use of Confidential Informationby Employee

I, ___________________, as an Employee or

Independent Contractor of _________________ ,

in the City of , State of , do

hereby acknowledge that I must comply with a

number of State and Federal Laws which regulate

the handling of, HIPAA, The Economic

Espionage Act, The Privacy Act, Gramm/Leach/

Bliley, ID Theft Laws (where applicable), Trade

Secrets Protections, and Implied Contract Breach.

I understand that I to, Federal and State fines,

criminal terms, real as regards to the handling of

confidential information so as to protect the

privacy of all involved._______________ ____________________

Employee Name Employee Signature

______________________________

Witness Name

Witness Signature

________________Date

♦ It makes Employees It makes Employees aware of their legal aware of their legal responsibilities to responsibilities to protect NPIprotect NPI

♦ It serves as proof that It serves as proof that handlers of NPI have handlers of NPI have completed the training completed the training required by lawrequired by law

8. Mitigating DamagesUse of Confidential Information

by EmployeeI, ___________________, as an Employee or

Independent Contractor of _________________ ,

in the City of , State of , do

hereby acknowledge that I must comply with a

number of State and Federal Laws which regulate

the handling of, HIPAA, The Economic

Espionage Act, The Privacy Act, Gramm/Leach/

Bliley, ID Theft Laws (where applicable), Trade

Secrets Protections, and Implied Contract Breach.

._______________ ____________________

Employee Name Employee Signature

______________________________

Witness Name

Witness Signature

________________Date

This form This form or one or one similarsimilar to it is to it is required by the required by the FTC for all FTC for all employees*employees*

Be Sure To Check With Your Attorney Before Using A Form Such As This

Disclaimer1. The laws discussed in this presentation are, like most

laws, routinely amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research.

2. The associate is not an attorney, and the information provided is not to be taken as legal advice.

3. Your particular program must be tailored to your business’s size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you.

4. Although our program serves as a potential affirmative defense for your business and greatly increases your protection, this may not be an absolute defense. We make no guarantee that implementing our program will protect the business from all liability.

Advisory Council was established to provide quality counsel and advice.Advisory Council was established to provide quality counsel and advice.

Legal Advisory Council

Duke R. LigonAdvisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp

Grant Woods

Advisory Council Member Former Arizona Attorney General

Andrew P. Miller Advisory Council Member Former Virginia Attorney General

Mike Moore Advisory Council Member Former Mississippi Attorney General

Just like other State and Federal laws,Just like other State and Federal laws, privacy and security laws are not optional.privacy and security laws are not optional. PPL can assist my company in starting thePPL can assist my company in starting the compliance process before a data breach,compliance process before a data breach, loss, or theft affects my employees orloss, or theft affects my employees or customers!customers!

Take Charge

PPL can help provide me a solution! PPL can help provide me a solution!

When am I able to schedule my employee’sWhen am I able to schedule my employee’s training?training?

Technology

Affirmative Defense Reponse System