Upload
oldshaman
View
668
Download
0
Embed Size (px)
DESCRIPTION
Is your business protected and in compliance with Federal Laws governing protection of clients data?
Citation preview
Affirmative Defense Response SystemAffirmative Defense Response System(A D R S)(A D R S)
MINIMIZE MY RISKMINIMIZE MY RISK
The Problem of Identity Theft♦ What identity theft is in realityWhat identity theft is in reality♦ Laws related to identity theft affectingLaws related to identity theft affecting
employers, executives and business ownersemployers, executives and business owners
Better Answers to Solve The Problem♦ Layered protectionLayered protection♦ Identity theft program and trainingIdentity theft program and training♦ Implementing reasonable steps at little or no cost Implementing reasonable steps at little or no cost
lowering my risk and minimizing my exposurelowering my risk and minimizing my exposure
Today’s Topics
““A rise in identity theft is presenting A rise in identity theft is presenting employers with a major headache: employers with a major headache: They are being held liable for identity They are being held liable for identity theft that occurs in the workplace.”theft that occurs in the workplace.”
Who Is Being Held Responsible?
Douglas Hottle, Meyer, Unkovic & Scott, “Workplace Identity Theft: How to Curb an HR Headache”
BLR: Business and Legal Reports, September 19, 2006
““With the With the workplace being the site of more workplace being the site of more than halfthan half of all identity thefts, HR executives of all identity thefts, HR executives must must ‘stop thinking about data protection as ‘stop thinking about data protection as solely an IT responsibility,’solely an IT responsibility,’ says one expert. says one expert.
Identity Theft Prevalent at Work
“ID Thefts Prevalent at Work”, Human Resource Executive, April 5, 2007
More educationMore education on appropriate on appropriate handlinghandling and and protection of informationprotection of information is necessary, is necessary, among other efforts.”among other efforts.”
Drivers License Identity Theft
MedicalIdentity Theft
Financial Identity Theft
ID Theft is an international crime andID Theft is an international crime and Access to an AttorneyAccess to an Attorney
may be critical!may be critical!
Social Security Identity Theft
Character/Criminal Identity Theft
Five Common Types of Identity Theft
28%
Identity Theft is not just about Credit Cards!
Your Name1000’s of aggregators
FingerprintsDNAFBI, State, Local DBS
Insurance ClaimsC.L.U.E. DBS, etc
Military RecordDOD DBS
Criminal HistoryNCIC DBS
Real Estate DeedsClerks of Court DBS
Legal HistoryState, Fed. Court DBS
Credit HistoryCredit Repositories’ DBS
Birth CertificateChoice Pt. DBS, State, etc
Phone Number & Tracking Info1000’s of aggregators
Social SecuritySSA DBS
Address1000’s of DBS
Why I Am At Risk
Driver’s License, Record DMV DBS
Medical RecordsMIB DBS, etc
Car Registration & InfoDMV, Local Treasurer, OnStar, etc
The DataBased The DataBased YouYou
tm
Correcting the victims’ records is so overwhelming Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data.it is imperative for businesses to protect the data.
Where the Law Becomes Logical
“Once the credit systems accept bad data it can be next to impossible to clear. ” USAToday June 5, 2007
“Medical identity theft can impair your health and finances . . . and detecting this isn’t easy . . . and remedying the damages can be difficult.” Wall Street Journal October 11, 2007
TM
The Cost to Businesses
♦ Employees can take up to 600 hoursEmployees can take up to 600 hours, mainly during business hours, to restore their identities
♦ “If you experience a security breach, 20% of your 20% of your affected customer base will no longer do business affected customer base will no longer do business with you,with you,
♦ “When it comes to cleaning up this mess, companies on average spend 1,600 work hours1,600 work hours per incident at a cost of $40,000 to $92,000$40,000 to $92,000 per victim.”*
*CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006
40% will consider ending the relationship, 40% will consider ending the relationship, and 5% will be hiring lawyers!”*and 5% will be hiring lawyers!”*
Why should ALLALL businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about . . .
Identity Theft, Identity Theft, FACTA-Red Flag Rules, FACTA-Red Flag Rules, GLB Safeguard Rules, GLB Safeguard Rules, and State Legislation?and State Legislation?
Ask Myself This Question
Answer: Liability, both civil and criminalAnswer: Liability, both civil and criminal
♦ FACTA and FACTA Red Flag RulesFACTA and FACTA Red Flag Rules
♦ Fair Credit Reporting ActFair Credit Reporting Act
♦ Gramm, Leach, Bliley Safeguard Gramm, Leach, Bliley Safeguard RulesRules
♦ Individual State LawsIndividual State Laws
Important Legislation
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Employee or Customer information lost under the wrong set of circumstances may cost my company: Federal and State Fines of $2500 per occurrenceFederal and State Fines of $2500 per occurrence Civil Liability of $1000 per occurrenceCivil Liability of $1000 per occurrence Class action Lawsuits with no statutory limitationClass action Lawsuits with no statutory limitation Responsible for actual losses of Individual ($92,893 Avg.)Responsible for actual losses of Individual ($92,893 Avg.)
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Fair & Accurate Transaction Act (FACTA)
Applies to every business and individual who Applies to every business and individual who maintains, or otherwise possesses, consumer maintains, or otherwise possesses, consumer information for a business purpose information for a business purpose
*
and requires and requires businesses to develop and implement a written businesses to develop and implement a written privacy and security program.privacy and security program.
♦ Must develop & implement a written privacy & security program. Must develop & implement a written privacy & security program.
♦ Must obtain approval of the initial written program from either itsMust obtain approval of the initial written program from either its board of directors or an appropriate committee of the board.board of directors or an appropriate committee of the board.
♦ A business with no board of directors must have a designated A business with no board of directors must have a designated employee at senior management level. Small businesses are notemployee at senior management level. Small businesses are not exempt.exempt.
♦ The oversight, development, implementation & administration ofThe oversight, development, implementation & administration of the program must be performed by a senior management levelthe program must be performed by a senior management level employee. employee.
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Red Flag Rules (FACTA) Red Flag Rules became effective in January 2008, Red Flag Rules became effective in January 2008, compliance is required by November 2008. Under these compliance is required by November 2008. Under these rules, covered accounts, creditors and businesses:rules, covered accounts, creditors and businesses:
♦ Liability follows the data.Liability follows the data.♦ A covered entity cannot escape its obligation to comply byA covered entity cannot escape its obligation to comply by outsourcing an activity. Businesses must exercise appropriateoutsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements.and effective oversight of service provider arrangements.♦ Service providers and contractors must comply by implementing Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, preventreasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.and mitigate the risk of identity theft.♦ Contractors with whom the covered accounts exchange PII Contractors with whom the covered accounts exchange PII (Personal Identity Information) are required to comply and(Personal Identity Information) are required to comply and have reasonable policies and procedures in place to protect have reasonable policies and procedures in place to protect the information.the information. Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Red Flag Rules (FACTA)
Covered accounts, creditors & businesses must ensure Covered accounts, creditors & businesses must ensure their service providers & subcontractors comply & have their service providers & subcontractors comply & have reasonable policies & procedures in place reasonable policies & procedures in place . . .. . . rulesrules statestate: :
If an employer obtains, requests or utilizes If an employer obtains, requests or utilizes consumer reports or investigative consumer reports or investigative consumer reports for hiring purposes consumer reports for hiring purposes and/or background screening, then the and/or background screening, then the employer is subject to employer is subject to FCRAFCRA requirements. requirements.
www.ftc.gov/os/statutes/031224fcra.pdf
Fair Credit Reporting Act (FCRA)
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Gramm, Leach, Bliley Safeguard Rules
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Eight Federal Agencies & any State can enforce this law
Applies to Any Organization that Maintains Applies to Any Organization that Maintains Personal Financial Information Regarding It’s Personal Financial Information Regarding It’s Clients or CustomersClients or CustomersNon Public Information (NPI) lost under the wrong set of circumstances may result in:
Fines up to $1,000,000 per occurrenceFines up to $1,000,000 per occurrence Up to 10 Years Jail Time for ExecutivesUp to 10 Years Jail Time for Executives Removal of managementRemoval of management Executives within an organization can be heldExecutives within an organization can be held accountable for non-compliance both civilly &accountable for non-compliance both civilly & criminallycriminally
These laws apply to any organization including:
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Privacy and Security Laws
Financial Institutions* Financial Institutions* SchoolsSchools Credit Card Firms Credit Card Firms Insurance Companies Insurance Companies Lenders Lenders
Brokers Brokers Car Dealers Car Dealers Accountants Accountants Financial PlannersFinancial Planners Real Estate AgentsReal Estate Agents
*The FTC categorizes an impressive list of *The FTC categorizes an impressive list of businesses as “FI” and these so-called “non-bank” businesses as “FI” and these so-called “non-bank” businesses comprise a huge array of firms that businesses comprise a huge array of firms that may be unaware they are subject to GLB.may be unaware they are subject to GLB.
Privacy and Security Laws
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Require businesses to:
Appoint an Information Security OfficerAppoint an Information Security Officer
Develop a written policy to protect NPIDevelop a written policy to protect NPI
Hold Mandatory Training for all employeesHold Mandatory Training for all employees
Oversee service provider arrangementsOversee service provider arrangements
FTC publication emphasizes that companies should:
Protecting Personal Information A Guide For Business
““Make sure training includes employees Make sure training includes employees at satellite offices, temporary help, and at satellite offices, temporary help, and seasonal workers.”seasonal workers.” (pg 17)
““Ask every employee to sign anAsk every employee to sign an agreement to follow company’sagreement to follow company’s confidentiality and security standardsconfidentiality and security standards for handling sensitive data”for handling sensitive data” (pg 16)
““Create a culture of securityCreate a culture of security implementing a regular schedule ofimplementing a regular schedule of employee training”employee training” (pg 17)
““Before outsourcing any of Before outsourcing any of your business functions – your business functions – payroll, web hosting, customer payroll, web hosting, customer call center operations, data call center operations, data processing, or the like – processing, or the like – investigate the company’s data investigate the company’s data security practices . . .security practices . . . ” (pg 19)
Protecting Personal Information A Guide For Business
Your liability follows your data . . . Your liability follows your data . . .
ABA JournalMarch 2006
Betsy Broder: “The FTC will act against companies that don’t protect customers’ data.”
“Stolen Lives” ABA JournalMarch 2006
“Broder says she understands that most small businesses cannot . . . hire a full-time . . . specialist, but . . . all businesses must be able to show they have a must be able to show they have a security security planplan in place. in place.
‘‘We’re not looking for a perfect system We’re not looking for a perfect system . . . but we need to see that you’ve. . . but we need to see that you’ve taken taken reasonable steps reasonable steps to protect your to protect your customers’ information.’”customers’ information.’”
“Stolen Lives” ABA JournalMarch 2006
Law Firms Are Looking for Victims
Law Firms Are Looking for Victims
“Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”
Law Firms Are Looking for Victims “Do you suspect that a large
corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company.
Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.”
How Pre-Paid Legal Helps Me . . .
♦ Sets up reasonable steps toSets up reasonable steps to protect non-public information (NPI) & personally identifiable information (PII)
♦ Helps create aHelps create a “Culture of Security”
♦ Sets up a potentialSets up a potential Affirmative Defense
♦ Helps protect employees and customers Helps protect employees and customers while potentially decreasing my company exposure
PPL starts the compliance process for my Company PPL starts the compliance process for my Company by providing templates for theby providing templates for the appointment of the appointment of the security officersecurity officer & written ID Theft security plan.& written ID Theft security plan.
To assist my company with compliance issues an To assist my company with compliance issues an authorized ADRS specialist will conduct a training authorized ADRS specialist will conduct a training required by law for my employees. They’ll explain required by law for my employees. They’ll explain the different types of ID Theft and show my the different types of ID Theft and show my employees how they can protect themselves if they employees how they can protect themselves if they become a victim and why their and my customers’ become a victim and why their and my customers’ personal information needs to be protected.personal information needs to be protected.
PPL does all this atPPL does all this at no direct cost to my companyno direct cost to my company..
Affirmative Defense Response System
1. Appointment of Security Compliance Officer May 1, 2008[insert employee designee]
RE: Appointment of Security
Compliance OfficerDear [employee]:
As part of [Company’s]
comprehensive information
security program, we are pleased
to appoint you as Security Officer.
].
Sincerely, [Company] Chief Executive Officer
Stays in Company Files . . .Stays in Company Files . . .
2. ID Theft Plan and Sensitive and Non-Public Information Policy
SENSITIVE INFORMATION
POLICY & IDENTITY
THEFT PREVENTION PROGRAM
1. BACKGROUNDThe risk to the company, its employees and
customers from data loss and identity
1. PurposeThe company adopts this policy to help protect
employees, customers, contractors and the
company from damages related to loss or misuse
of sensitive information. This policy will:
§Define sensitive information
§Describe the physical security of data
when it is §Describe the electronic security of data
when s
SENSITIVE INFORMATION
POLICY & IDENTITY
THEFT PREVENTION PROGRAM
1. BACKGROUNDThe risk to the company, its employees and
customers from data loss and identity
1. PurposeThe company adopts this policy to help protect
employees, customers, contractors and the
company from damages related to loss or misuse
of sensitive information. This policy will:
§Define sensitive information
§Describe the physical security of data
when it is §Describe the electronic security of data
when s
SENSITIVE INFORMATION
POLICY & IDENTITY
THEFT PREVENTION PROGRAM
1. BACKGROUNDThe risk to the company, its employees and
customers from data loss and identity
1. PurposeThe company adopts this policy to help protect
employees, customers, contractors and the
company from damages related to loss or misuse
of sensitive information. This policy will:
§Define sensitive information
§Describe the physical security of data
when it is §Describe the electronic security of data
when s
Every Employee Gets a CopyEvery Employee Gets a Copy
3. Privacy and Security LetterTo All Employees/Agents
[Company Name] RE: MANDATORY
EMPLOYEE MEETING
PRIVACY & SECURITY
COMPLIANCE PROGRAM
& IDENTITY THEFT
TRAININGMay 10, 2008On , in the Conference Room, [Company]
will host a mandatory employee meeting and training
session on identity theft and privacy compliance.
Additionally, as an employee, you will be provided an
opportunity to purchase an identity theft product.
As you know, [Company] makes every effort to comply
with all Federal Trade Commission guidelines to protect
personal employee
Sincerely,[Name][Company]Owner
Mailed to All Employees, Mailed to All Employees, With a Copy in File . . .With a Copy in File . . .
IdentityMonitoringServices
Life EventsLegal Plan &Legal Shield
Identity Restoration Services
Me
4. May Reduce Company LossesIn the event of a data breach, this may help mitigate potential lossesmitigate potential losses for my company. PPL’s program may reduce my exposureto litigation, potential fines, fees and lawsuits.
* Subject To Terms And Conditions
PPL PPL will train on will train on privacy and privacy and security lawssecurity laws and offer my employees a payroll deduction benefit that includes:
IdentityMonitoringServices
Life EventsLegal Plan &Legal Shield
Identity Restoration Services
Me
4. May Reduce Company Losses
Credit MonitoringCredit Monitoring
Access to Legal CounselAccess to Legal Counsel
and
Full RestorationFull Restoration
* Subject To Terms And Conditions
IdentityMonitoringServices
Life EventsLegal Plan &Legal Shield
Identity Restoration Services
Me
4. May Reduce Company Losses
This means employees who participate in this program may reduce my company’s exposures.reduce my company’s exposures.The majority of the time restoringan employee’s identity is covered by the memberships and not done on not done on company time &/orcompany time &/orcompany expense.company expense. Also, use of PPL’s Life Events Legal Plan provides help* that addresses related issues.
* Subject To Terms And Conditions
If a number of my employees are notified of If a number of my employees are notified of improper usage of their identities, this may act as improper usage of their identities, this may act as an early warning system to my company of a an early warning system to my company of a possible internal breach possible internal breach which could further reduce which could further reduce my losses.my losses.
5. Potential Early Warning System
BLR says this “Provides an Affirmative Defense for the company.”
6. May Provide an Affirmative Defense
““One solution that provides an affirmative defense against One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit. identity theft protection as an employee benefit.
Business and Legal Reports January 19, 2006
An employer can choose whether or not to pay for this benefit. An employer can choose whether or not to pay for this benefit. The key isThe key is to make the protection available, and have a to make the protection available, and have a employee meeting on identity theft and the protection you are employee meeting on identity theft and the protection you are making available, similar to what most employers do for health making available, similar to what most employers do for health insurance . . . Greg Roderick, CEO of Frontier Management, insurance . . . Greg Roderick, CEO of Frontier Management, says that his employees "feel like the company's valuing them says that his employees "feel like the company's valuing them more, and it's very personal."more, and it's very personal."
Identity Theft Protection and
Legal Service
(Proof of offer of a Mitigation Plan)
•As an employee of _______________________ located in
____________________, acknowledge that a Pre-Paid Legal
Services, Inc., independent sales associate made available to me the
Identity Theft Shield and a Pre-Paid Legal Services, Inc.
membership.•Identity Theft Shield:–Initial credit report and guide on how to
read the report–
Continuous credit monitoring
–Identity restoration in the event of a
theft •Life Events Legal Plan: –
Preventive legal services provided
through a network of independent
provider attorney law firms in each
state and province–
Phone Consultation with
Attorneys/Review of Documents/Phone
Calls and Letters for any legal matter
and issues regarding identity theft
including concerns regarding my: 1)
drivers license, 2) medical information,
3) social security number, 4)
character/criminal identity, and 5) my
credit identity and information
esentation
Opt-in/out Sheet in Employees’ FileOpt-in/out Sheet in Employees’ File
7. Provides Proof I Offered A Mitigation Plan to My Employees
8. Mitigating Damages
To potentially protect To potentially protect myself, I should have all myself, I should have all employees sign this employees sign this document . . .document . . .
Be Sure To Check With Your Attorney Before Using A Form Such As This
Use of Confidential Informationby Employee
I, ___________________, as an Employee or
Independent Contractor of _________________ ,
in the City of , State of , do
hereby acknowledge that I must comply with a
number of State and Federal Laws which regulate
the handling of, HIPAA, The Economic
Espionage Act, The Privacy Act, Gramm/Leach/
Bliley, ID Theft Laws (where applicable), Trade
Secrets Protections, and Implied Contract Breach.
I understand that I to, Federal and State fines,
criminal terms, real as regards to the handling of
confidential information so as to protect the
privacy of all involved._______________ ____________________
Employee Name Employee Signature
______________________________
Witness Name
Witness Signature
________________Date
♦ It makes Employees It makes Employees aware of their legal aware of their legal responsibilities to responsibilities to protect NPIprotect NPI
♦ It serves as proof that It serves as proof that handlers of NPI have handlers of NPI have completed the training completed the training required by lawrequired by law
8. Mitigating DamagesUse of Confidential Information
by EmployeeI, ___________________, as an Employee or
Independent Contractor of _________________ ,
in the City of , State of , do
hereby acknowledge that I must comply with a
number of State and Federal Laws which regulate
the handling of, HIPAA, The Economic
Espionage Act, The Privacy Act, Gramm/Leach/
Bliley, ID Theft Laws (where applicable), Trade
Secrets Protections, and Implied Contract Breach.
._______________ ____________________
Employee Name Employee Signature
______________________________
Witness Name
Witness Signature
________________Date
This form This form or one or one similarsimilar to it is to it is required by the required by the FTC for all FTC for all employees*employees*
Be Sure To Check With Your Attorney Before Using A Form Such As This
Disclaimer1. The laws discussed in this presentation are, like most
laws, routinely amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research.
2. The associate is not an attorney, and the information provided is not to be taken as legal advice.
3. Your particular program must be tailored to your business’s size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you.
4. Although our program serves as a potential affirmative defense for your business and greatly increases your protection, this may not be an absolute defense. We make no guarantee that implementing our program will protect the business from all liability.
Advisory Council was established to provide quality counsel and advice.Advisory Council was established to provide quality counsel and advice.
Legal Advisory Council
Duke R. LigonAdvisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp
Grant Woods
Advisory Council Member Former Arizona Attorney General
Andrew P. Miller Advisory Council Member Former Virginia Attorney General
Mike Moore Advisory Council Member Former Mississippi Attorney General
Just like other State and Federal laws,Just like other State and Federal laws, privacy and security laws are not optional.privacy and security laws are not optional. PPL can assist my company in starting thePPL can assist my company in starting the compliance process before a data breach,compliance process before a data breach, loss, or theft affects my employees orloss, or theft affects my employees or customers!customers!
Take Charge
PPL can help provide me a solution! PPL can help provide me a solution!
When am I able to schedule my employee’sWhen am I able to schedule my employee’s training?training?