adrs flip chart with red flags rev4

With Dan Cassin, CITRMSWith Dan Cassin, CITRMS

Identity Theft:

The Next Corporate Liability Wave “Your phone rings. It’s Special Agent Bret Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered that the personal data appears to have come from your company. The victims are your customers, employees & vendors.

Your mind begins to spin. Are there other customers affected who haven’t been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?

You recall reading that each identity theft victim will on average spend $1,495.00, excluding attorney’s fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2,000 per victim. Multiplying that by 10,000 customer-victims equals $20 million. Adding as little as $15 per hour for the victims’ time and you get $11,000 per case or a total of $110 million in total even before fines and punitive damages are considered. And that’s on top of the potential impact on your company’s future sales. [ed. And before attorney’s fees!]

Corporate Counsel, March 30, 2005

Identity Theft: Identity Theft:

Your Next Corporate Liability?Your Next Corporate Liability?

The nation’s fastest growing crime, The nation’s fastest growing crime, identity theft, is combining with identity theft, is combining with greater corporate accumulation of greater corporate accumulation of personal data, increasingly vocal personal data, increasingly vocal consumer anger and new state and consumer anger and new state and federal laws to create significant new federal laws to create significant new legal, financial and reputation risks legal, financial and reputation risks for many companies.” for many companies.”

ed. ed. large & smalllarge & smallCorporate Counsel, March 30, 2005

The Problem of Identity Theft• What ID Theft is in reality• Laws related to ID Theft that punish

your business

Best Answer to Problem• Layered Protection• ID Theft Program and Training• Implementing reasonable steps at little or

No Cost that will lower your risk and minimize your exposure

What we will cover the next few minutesWhat we will cover the next few minutes

BLR: Business and Legal Reports BY: Douglas, Hottle, Meyer, Unkovic & Scott

“A rise in identity theft is presenting businesses with a major headache”, Employers are being held liable for identity theft (by employees) that occurs in the workplace.

Identity Theft is the misuse or fraudulent use of an individual’s personal information. Unfortunately for employers, personal data such as social security, drivers license and bank account numbers is precisely what is contained in HR files, a goldmine for ID thieves.

9/19/2006

ID Thefts Prevalent at Work

The workplace is the site of more than half of all identity thefts, ... executives must "stop thinking about data protection as solely an IT responsibility“. More education is necessary.

– Human Resource Executive May 2007

Drivers License

MedicalInfo

Financial or Credit

Identity Theft is not just about Credit Cards!

It is a Legal Issue!ID Theft is an international crime and access to an attorney may be critical

Social Security

Character/Criminal

Five Common Types of Identity Theft

Once the credit systems accept bad data it can be next to impossible to clear.

USAToday June 5, 2007

Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult.

WSJ Oct 11, 2007

Because it is so overwhelming to correct the victims’ records it is imperative for businesses to protect the data.

Where the law Where the law becomesbecomes logical logical

The Cost to Businesses

Employees can take up to 600 hours, mainly during business hours, to restore their identities

“If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”*

“When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”*

*CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

Why should all Executives/Owners of Why should all Executives/Owners of businesses, corporations, schools, financial businesses, corporations, schools, financial institutions, hospitals and governmental bodies institutions, hospitals and governmental bodies be concerned about Identity Theft, Data Security be concerned about Identity Theft, Data Security FACTA-Red Flag RulesFACTA-Red Flag Rules, GLB Safeguard Rules, , GLB Safeguard Rules, and State Legislation?and State Legislation?

Answer: Answer: Liability, both civil and criminal.Liability, both civil and criminal.

Should I be concerned about ID Theft?Should I be concerned about ID Theft?

FACTA-Red Flag Rules

Fair Credit Reporting Act

Gramm, Leach, Bliley Safeguard Rules

Individual State Laws (i.e. NCITPA &

Texas Whistle Blower Statute)

Important Legislation

Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

Fair and Accurate CreditFair and Accurate Credit

Transactions Act (FACTA)Transactions Act (FACTA)


Applies To Every Business And Individual Who Maintains, Or Otherwise Possesses, Consumer Information (including Employee & Vendor info) For A Business Purpose.

Employee or Customer information lost under the wrong set of circumstances may cost your company:

Federal and State Fines of $2500 per occurrence Civil Liability of $1000 per occurrence Class action Lawsuits with no statutory limitation Responsible for actual losses of Individual ($92,893 Avg.)

(New rules are substantive and impose additional new requirements effective January 1, 2008)

ESTABLISHMENT OF AN IDENTITY THEFT PREVENTION PROGRAM

Must develop and implement a written Identity Theft Prevention Program (Program).

Must obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors.

Or if the business does not have a board of directors it must have a designated employee at the level of senior management. Small Businesses are not exempt.

The oversight, development, implementation and administration of the Program must be performed by an employee at the level of senior management.


FACTA-Identity Theft Red Flag RulesFACTA-Identity Theft Red Flag Rules (Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)(Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)

TRAINING STAFF TO EFFECTIVELY IMPLEMENT THE PROGRAM

A Culture of Security must be established at all businesses.

Personally Identifiable Information (PII) and Non-Public Information (NPI) such as Social Security numbers, drivers license numbers, etc., must be protected as if they were loose cash because the loss of PII can be more devastating then the loss of cash, since cash can be replaced.

All staff who could possibly have access to PII/NPI inside or outside the business must be trained so that they understand why the information needs to be protected and that there are legal consequences for not doing it. This is necessary to effectively implement an identity theft prevention program.



SERVICE PROVIDERS AND SUBCONTRACTORS

Liability follows the data.

A covered entity cannot escape its obligation to comply by outsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements.

Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft

Additionally contractors with whom you exchange PII are required to comply and have reasonable policies and procedures in place to protect information.



If an Employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the Employer is subject to FCRA requirements.

www.ftc.gov/os/statutes/031224fcra.pdf

Fair Credit Reporting Act (FCRA)


Eight Federal Agencies and any State can enforce this law

Applies To Any Organization That Maintains Personal Financial Information Regarding Its Clients Or Customers

Non Public Information (NPI) lost under the wrong set of circumstances may result in:

Fines up to $1,000,000 per occurrence Up to 10 Years Jail Time for Executives Removal of management Executives within an organization can be held accountable for non-compliance both civilly and criminally

Gramm, Leach, Bliley Safeguard Rules


Applies to any Organization Including :

Financial Institutions*

School Districts

Credit Card Firms

Insurance Companies

Lenders

Brokers

Car Dealers

Accountants

Financial Planners

Real Estate Agents

*The FTC categorizes an impressive list of businesses as FI and these so-called “non-bank” businesses comprise a huge array of firms that may be unaware they are subject to GLB.


FACTA-Red Flag Rule & Gramm, Leach, Bliley Safeguard Rules

Require businesses to:

Appoint in writing an Information Security Officer.

Develop a written ID Theft protection plan & policy to protect Non-Public Information for employees and customers.

Hold mandatory training for employees who have access to Non-Public Information.

Oversee Service Provider compliance arrangements

FACTA Red Flag Rules and the GLB Safeguard Rules


Suggests that companies should;

“Create a culture of security by implementing a regular schedule of employee training” (pg 17)

“Ask every employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data” (pg 16)

FTC Guide

Protecting Personal Information A Guide For Business

ABA JournalMarch 2006

- “Stolen Lives”, ABA Journal, March 2006

“We’re not looking for a perfect system,’ Broder says. ‘But we need to see that you’ve taken reasonable steps to protect your

customers’ information.’”

Law Firms Are Trolling for Victims

Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.

Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.

Why and How We Help You…

Set up Reasonable Steps To Protect NPI/PII

Help Create a “Culture of Security”

Set up a potential Affirmative Defense

Help Protect employees and customers while potentially decreasing your company exposure

We start the compliance process for your Company by providing templates for the written ID Theft security plan and the appointment of the security officer.

To assist your company with compliance issues we will conduct a mandatory training required by law for your employees at no cost to you. We will explain the different types of ID Theft and show your employees how they can protect themselves if they become a victim and why their and your customers’ personal information needs to be protected.

We do all of this at no direct cost to your company*. *There is a fee for Future Training and Consultation to assist with policies and implementing the program beyond this.

Affirmative Defense Response System

To All Employees [Company] RE: MANDATORY EMPLOYEE MEETING

PRIVACY AND SECURITY COMPLIANCE PROGRAM AND IDENTITY THEFT TRAINING

[insert date, time and location] On [insert date], [company] will host a mandatory employee meeting and training session on identity theft and privacy compliance. Additionally, as an employee, you will be provided an opportunity to purchase an identity theft product. As you know, [company] makes every effort to comply with all Federal Trade Commission guidelines to protect personal employee, customer and vendor information. As part of our security program, we want to train all employees on concrete steps to help reduce the risk of security breaches and identity theft. This program is important to [company] and your attendance is mandatory. I look forward to seeing each of you there on [date]. Sincerely, [Company] CEO

1. Mandatory Meeting LetterWhat We Do

2. Appoint a Security Compliance Officer February 1, 2008[insert employee designee]RE: Appointment of Security Compliance OfficerDear [employee]: As part of [Company’s] comprehensive information security program, we are pleased to appoint you as Security Officer. As Security Officer you will be responsible to design, implement and monitor a security program to protect the security, confidentiality and integrity of personal information collected from and about our employees, consumers and vendors. As Security Officer you will help [Company] identify material internal and external risks to the security of personal information; design and implement reasonable safeguards to control the risks identified in the risk assessment; evaluate and adjust the program in light of testing results; and continuous monitoring of the program and procedures. As Security Officer, [Company] will provide you access to training courses and materials on a continuing basis. Thank you for your commitment to [Company]. Sincerely, [Company] Chief Executive Officer

What We Do

3. ID Theft Plan & Sensitive & Non Public Information Policy

SENSITIVE and NON PUBLIC INFORMATION POLICY 1. PURPOSE The company adopts this policy to help protect employees, customers, contractors and the company from damages related to loss or misuse of sensitive information. This policy will:

Define sensitive information Describe the physical security of data when it is printed on paper Describe the electronic security of data when stored and distributed

2. SCOPE This policy applies to employees, contractors, consultants, temporaries, and other workers at the company, including all personnel affiliated with third parties. 3. POLICY

3.1. Definition of Sensitive Information Sensitive information includes the following items whether stored in electronic or printed format:

3.1.1. Personal Information - Sensitive information consists of personal information including,

but not limited to:

3.1.1.1. Credit Card Information, including any of the following: Credit Card Number (in part or whole) Credit Card Expiration Date Cardholder Name Cardholder Address

What We Do

(First of four pages)

4. Reduce Company Losses

* Subject To Terms And Conditions

In the event of a data breach, we may help mitigate potential losses for your company. Our program may reduce your exposure to litigation, potential fines, fees and lawsuits. We will train and offer your employees a payroll deduction benefit that includes:

Credit Monitoring,

Full Restoration and

Access to Legal Counsel

which means employees who participate in this program may reduce your company’s exposure. The majority of the time in restoring an employee’s identity is covered by the memberships and not done on company time or at company expense. Also, use of our Life Events Legal Plan provides help* that addresses related legal issues.

What We Do

Life Events Legal Plan &

Legal ShieldMonitoring

Services

Restoration Services

If a number of your employees get notified of improper usage of their identities, this may act as an early warning system to your company of a possible internal breach which could further reduce your losses.

5. Potential Early Warning SystemWhat We Do

BLR: “Provides an Affirmative Defense for the company.”

6. Provide an Affirmative Defense

“One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer . . . identity theft protection as an employee benefit.

An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a mandatory employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees "feel like the company's valuing them more, and it's very personal."

Business and Legal Reports, January 19, 2006

What We Do

Identity Theft Protection and Legal Services

As an employee of ______________________________, located in _________________________, I acknowledge that a Pre-Paid Legal Services, Inc., independent sales associate made available to me the Identity Theft Shield and a Pre-Paid Legal Services, Inc. membership. Identity Theft Shield:

o Initial credit report and guide on how to read the report o Continuous credit monitoring o Identity restoration in the event of a theft

Pre-Paid Legal Services Plan: o Preventive legal services provided through a network of independent provider attorney law firms in each state and province o Phone Consultation with Attorneys/Review of Documents/Phone Calls and Letters for any legal matter and issues regarding

identity theft including concerns regarding my: 1) drivers license, 2) medical information, 3) social security number, 4) character/criminal identity, and 5) my credit identity and information

o A Will for me and my spouse o Motor vehicle moving violation representation o Trial defense o IRS audit o Legal Shield 24 hours a day, 7 days a week when arrested or detained o Discounted rate for other legal services

I have seen and read the brochures listing the specific benefits, limitations and exclusions of these plans. The company made these benefits available to me at my expense.

___ I have decided to enroll in both plans. ___ I have decided to enroll in the legal plan only. ___ I have decided to enroll in the Identity Theft Shield only. ___ I have decided not to enroll in either plan.

Name: _____________________________ Date:_______________________ Signature: __________________________ Witness:_____________________

7. Provide Proof You Offered AMitigation Plan – Checklist

What We Do

8. Mitigation Planning

Use of ConfidentialInformation by Employee

It makes Employees aware of their legal responsibilities to protect NPI

It serves as proof that handlers of NPI have completed the mandatory training required by law

To potentially protect yourself, you should have all employees sign this document…

Be Sure To Check With Your Attorney Before Using A Form Such As This

What We Do

What We Do8. Mitigation Planning Continued –

* FTC – Protecting Personal Information A Guide For Business pg 15

This form or

one similar

to it is

required by

the FTC for

all of your

employees*

What You Need To Do NextTake Action Today! Take Action Today!

to protect your businessto protect your business to protect your clientsto protect your clients to protect your employeesto protect your employees to protect your vendorsto protect your vendors


What You Need To Do NextTake Action Today! Take Action Today!

1.1.Talk with Dan or leave him your card.Talk with Dan or leave him your card.2.2.Set up a time to talk with Dan about Set up a time to talk with Dan about ADRS employee training.ADRS employee training.3.3.Schedule a training with your employees Schedule a training with your employees ASAP.ASAP.4.4.Set up your ADRS program w/ Dan.Set up your ADRS program w/ Dan.5.5.Sign up for the ID Theft/ Legal Plan Sign up for the ID Theft/ Legal Plan

benefit for you and your employees.benefit for you and your employees.


Mike Moore served as Attorney General of Mississippi from 1988 to 2004.

Grant Woods served as Attorney General of Arizona from 1991 to 1999.

Andrew Miller served as Attorney General of Virginia from 1970 to 1977.

Duke Ligon is Senior VP & General Counsel for Devon Energy Corporation.

The Advisory Council was established to provide quality counsel and advice regarding the marketing to employee groups.

Legal Advisory Council

Disclaimer1. The laws discussed in this presentation are, like most

laws, constantly amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research.

2. The instructor is not an attorney, and the information provided is not to be taken as legal advice.

3. The Affirmative Defense Response System provides compliance training, but your particular program must be tailored to your businesses size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you.