Creating Your Red Flags Rule

Playbook

May 2010

Growing Identity Theft

Incidences of identity theft grew by 11 percent from 2008 to 2009 altering the lives of 11 million Americans *

One in every 20 Americans will be a victim of identity theft this year *

2

* Javelin Strategy & Research 2010 Identity Fraud Survey Report

3

Agenda

•Overview of the Red Flags Rule and who must comply

•Learn how to enhance your data security practices

•Harmonize security controls across multiple mandates such

as PCI DSS

•Monitor controls that the Federal Trade Commission

mandates

•Effectively respond to red flags as they are identified

Today’s Speakers

4

Jeff HughesDirector, Solution MarketingLumension

Brandon DunlapManaging Director of ResearchBrightfly

Red Flags Rule – the What, Why, Who and When?

6

What is the Red Flags Rule Regulation?

The red flags fall into five categories:1. Alerts, notifications, or warnings from

a consumer reporting agency

2. Suspicious documents

3. Suspicious personally identifying information (i.e. suspicious address)

4. Unusual use relating to a covered account

5. Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts

Who Must Comply with the Red Flags Rule?

•Applies to “financial institutions” and “creditors”

» Financial Institution - a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.

» Creditor - organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.

7

Enforcement of Red Flags Rule

8

Compliance Deadline•Anyone with “covered accounts” must be compliant as of June 1, 2010.

Audits•The FTC can conduct investigations to determine if a business has taken appropriate steps to develop and implement a written Program, as required by the Rule. If a violation occurs, the FTC can bring an enforcement action.

Penalties for Non-Compliance

•The FTC can seek both monetary civil penalties and injunctive relief for violations.

•$3,500 is the maximum civil penalty per violation instance

•Additional costs could include:» Civil suits» Reporting and document retention

requirements» Compliance requirements via

court order

9

Enhancing Data Security Practices

11111111

Red Flags Rule and Your Security Program

4. Manage» Create operational

and strategic visibility across compliance, IT risk and control environments

1. Identify» Identify optimal

controls to meet your policy requirements

2. Assess» Assess technical,

procedural, and physical controls

3. Remediate» Prioritize and

address technical and procedural control deficiencies

Enhancing Data Security Measures

1. Identify Relevant Red Flags

» Identify the red flags of identity theft you’re likely to come across in your business

2. Detect Red Flags

» Set up procedures to detect those red flags in your day-to-day operations

3. Prevent and Mitigate Identity Theft

» Respond to identified red flags to prevent and mitigate the harm done

4. Update your Program

» Keep your program current and educate your staff

» Design and implement a program that is appropriate for your organization’s size and complexity

12

Harmonize Controls Across Multiple Regulatory Requirements

14

Compliance and IT Risk Management Challenges

Fragmented

IT Visibility

Lack of Regulatory

Knowledge

Manual & DisparateProcesses

Misinterpretation

Policies &

Controls HIPAA

PCI

SOX

Security Policy

Password LengthSpecial Characters

Excel

ManualSurveys

Database Business Processes

IT Resources

Disparate Data Collection

Functional Silos

Non Standardized Processes

Similar Requirements to Other Regulations

15

Requirements Red Flags Rule PCI DSS

Train Staff to Recognize an Incident

Security Awareness and Training

Test and Update the Incident Response Plan

Maintain Intrusion Detection and Incident Monitoring and Response Capabilities

Manage Third-Party Services

Report Monitoring Statistics and Follow-up to the Board of Directors

Capabilities to Improve Security and Ensure Compliance

17

Solutions to Ensure Compliance and Improve Security

Lumension® Compliance and IT Risk Management

» Delivers a standardized Compliance and IT risk management framework

» Standardized interpretation of organizational policies and controls

» Improves IT risk and compliance visibility

» Reduces reliance on third party consulting and auditing resources

» Automates and integrates assessment and remediation processes and data

» Optimizes IT resources to proactively address IT risk and compliance exposure

Com

plia

nce

Man

agem

ent

IT R

isk Managem

ent

Identify

AssessRemediate

Manage

Creating Your Playbook

Benefits of Creating a “Playbook”

•Reduce manual and redundant efforts

•Deliver centralized visibility into your IT risk posture

•Efficient processes extend IT security/compliance budget

•Prioritize remediation against business impact

•Take cost savings and invest in the business to drive innovation

19

Q&A

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com