460 likes | 587 Views
GRADUATE SCHOOL OF CREDIT AND FINANCIAL MANAGEMENT. Wanda Borges, Esq. Borges & Associates, LLC 575 Underhill Blvd. Syosset, NY 11791 516-677-8200 x 225 borgeslawfirm@aol.com. PRIVACY ISSUES IDENTITY THEFT PREVENTION. Increased concern over identity theft
E N D
GRADUATE SCHOOL OF CREDIT AND FINANCIAL MANAGEMENT Wanda Borges, Esq. Borges & Associates, LLC 575 Underhill Blvd. Syosset, NY 11791 516-677-8200 x 225 borgeslawfirm@aol.com GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTION Increased concern over identity theft Increased risks of money laundering Risks of computerized data breach GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONSTATUTES GRAMM-LEACH BLILEY – 1999 Among the first of its kind Not applicable to commercial business transactions Protect consumers’ nonpublic personal information from foreseeable threats in security and data integrity. Nevertheless – set the standard for Safeguards GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONSTATUTES GLB’s Safeguard Rule Ensure security and confidentiality of customer information Protect against anticipated threats or hazards to security or integrity of such information Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the customer GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONSTATUTES USA PATRIOT ACT – 2001 “Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” Passed into law – October 26, 2001 After the 9/11 attacks Primary Focus: Deter and Punish Terrorist Acts [Anti-terrorism] Enhance Law Enforcement Investigatory Tools GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONSTATUTES USA PATRIOT IMPROVEMENT AND REAUTHORIZATION ACTION OF 2005 Together these Acts commonly referred to as The USA PATRIOT ACT Section 326 – Anti Money-laundering section Requires Financial Institutions to set up and maintain Customer Identification Programs (CIP’s) GSCFM 2014
PROTECTING PERSONAL INFORMATION FEDERAL TRADE COMMISSION Issued “A Guide for Business” Premise – Companies keep sensitive personal information on files Names, Social Security Numbers, credit card or other account data necessary to: Fill orders Meet payroll Perform other necessary business functions GSCFM 2014
DATA SECURITY PLAN Take stock of what personal information is maintained in files and on computers Keep only what is necessary for business operations Lock and protect kept information Properly dispose of what you no longer need Create a plan to respond to security incidents GSCFM 2014
DATA SECURITY PLAN Keep only what is necessary for business operations If you really don’t need it, don’t’ keep it Electronically printed credit and debit card receipts must be shortened or truncated Check and change, if necessary, any default settings on software (that may keep information indefinitely) Develop a written records retention policy GSCFM 2014
DATA SECURITY PLAN Lock and protect kept information Physical security Electronic security Employee training Security practices of: Contractors Service providers GSCFM 2014
DATA SECURITY PLAN Properly dispose of what you no longer need Wipe computers clean of old data when disposing of computer FACT Act Disposal Rule Burn Pulverize Shred GSCFM 2014
DATA SECURITY PLAN Create a plan to respond to security incidents Have a Plan in place to respond to security incidents Designate a senior member of staff to coordinate and implement response plan If computer has been compromised, disconnect it immediately from Server and/or Internet Investigate Security incidents immediately Take steps to thwart vulnerabilities and threats Consider whom to notify in the event of a security incident GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONSTATUTES GENERAL INFORMATION Whenever the word “person” is used, “person” includes: corporation, limited liability company, partnership, limited liability partnership and most other artificial entities GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness CALIFORNIA Various bills 2003, 2005, 2006 Strictest disclosure and security procedure requirements in the country Borrowed standards from GLB & HIPAA Not limited to records located in California GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness CALIFORNIA Three requirements on businesses: Notify California residents when security of personal information has been compromised Notify California residents when information is shared with a third party Maintain reasonable security procedures to protect personal information GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness INDIANA (since 2006) Regulates ANY company which owns or uses personal information of Indiana residents for commercial purposes regardless of whether the company otherwise is doing business in Indiana GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness INDIANA Develop and implement security procedures Protect individuals’ non-public personal information If a breach occurs, report the event to the consumer, state agencies and national credit reporting agencies GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness INDIANA – Recommended Program Designate an employee to coordinate Identify reasonably foreseeable internal and external risks to security Assure contractors are capable of maintaining appropriate safeguards Continually evaluate to reflect new circumstances Provide consumer notification plans in case of inadvertent data-security breach GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness MASSACHUSETTS – 2007 but compliance mandatory 2010 Applicable to all “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” NOT limited to records located within the Commonwealth. GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness MASSACHUSETTS – WISP [Written Information Security Program] Ensure the security and confidentiality of personal information; Protect against any anticipated threats or hazards to the security or integrity of such information Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud. GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness MASSACHUSETTS – cont’d 201 CMR 17.00 Compliance Checklist can be found at: http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness Missouri Personal Information Data Privacy Notification and Encryption Laws: Section 407.1500 (2009) Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach. GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness NEW YORK GENERAL BUSINESS LAW §899-aa STATE TECHNOLOGY LAW §208 Effective December 2005 GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness NEW YORK Definition of Personal Information (Private information) An individual’s first name or first initial and last name linked with any one or more of the following data elements, when either the personal information or data element is not encrypted or encrypted with an encryption key that has also been acquired GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness NEW YORK DATA ELEMENTS Social security number Driver’s license number or non-driver identification card number Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness NEW YORK APPLICABLE TO: Any person or business which conducts business in New York State, and which owns or licenses computerized data which includes private information GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness NEW YORK REQUIREMENTS: Disclose any breach of the security of the system following discovery or notification of the breach in the security of the system Notify any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. Notify as expeditiously as possible and without unreasonable delay Consistent with the legitimate needs of law enforcement Consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness TEXAS BUSINESS & COMMERCIAL CODE ANNOTATED §521.053 EFFECTIVE DATE: September 1, 2005 GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness TEXAS DEFINITION OF PERSONAL INFORMATION: Information that alone or in conjunction with other information identifies an individual, including an individual’s: Name, social security number, date of birth, or government-issued identification number; Mother’s maiden name; Unique biometric data, including fingerprint, voice print, and retina or iris image Unique electronic identification number, address, or routing code; and Telecommunication access device as defined by Section 32.51 Penal Code GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness TEXAS SUMMARY: A person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of Texas whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system. GSCFM 2014
PRIVACY ISSUESIDENTITY THEFT PREVENTIONState Statutes’ Awareness TEXAS implement and maintain reasonable procedures, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. destroy records not to be retained by: shredding, erasing; or making information unreadable or indecipherable through any means. GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary Enacted 2007 Enforcement Began January 1, 2011 Picks up where data security leaves off GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary Seeks to prevent identity theft by ensuring that you and your customer are on the lookout for crooks who might obtain and use someone else’s information Applicable to: Financial Institutions Creditors with “covered accounts” GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary The definition of “creditor” under the “Red Flags” Rule is broad A trade creditor may be included Red Flag Program Clarification Act of 2010 has clarified when a trade creditor is or is not a “creditor” under the Red Flags Rule GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAG PROGRAM CLARIFICATION ACT OF 2010 Limits applicability of the “Red Flags” Rules to a creditor (including a trade creditor) as defined in the Equal Credit Opportunity Act that regularly, and in the ordinary course of business GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAG PROGRAM CLARIFICATION ACT OF 2010Cont’d. Obtains or uses consumer reports in connection with a credit transaction, Furnishes information to consumer reporting agencies in connection with a credit transaction, or Advances funds to or on behalf of a person based on that person’s obligation to repay the funds or repayable from specific property pledged by or on behalf of that person GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAG PROGRAM CLARIFICATION ACT OF 2010Cont’d. Advances funds refers to money, rather than goods or services This category of “creditors” applies only to entities making loans. GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAG PROGRAM CLARIFICATION ACT OF 2010Cont’d. A Trade creditor is included which Relies on an individual credit report in making credit decisions Whether the report is on the principal of a small business Or on a personal guarantor Or on a non-corporate entity GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAG PROGRAM CLARIFICATION ACT OF 2010Cont’d. A Trade creditor is NOT included which Only deals with established corporate entities Does not rely on personal consumer credit reports Does not furnish information to consumer reporting agencies Does not make loans to individuals GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary “Covered Account” includes: any account that a creditor (or financial institution) offers or maintains for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the creditor or financial institution. Consumer Accounts for personal, family or household use. GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary Risk Assessment Business must first assess the level of risk Creditors dealing with small businesses and personal guarantors have a high risk level Creditors dealing only with large corporate customers and no personal guarantors do not have to comply with the Red Flags Rules Written “Red Flags” Program must be developed, administered and updated. GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary Identify the “red flags” which will alert your business to a problem A Red Flag is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft, e.g.: A customer using a credit card for payment and does not have the proper identity code A customer ordering an unusual quantity or type of produce A customer requesting delivery to a new or unusual location GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary Detect the “red flags” Verify any new or unusual locations Contact customer personally if any information or request seems unusual] Verify customer even exists which is using a cell phone only Verify an email account if it appears generic Confirm that the business or person you are dealing with really exists GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary Respond to “red flags” Once you have identified your “red flags” and have detected them, your program should set forth a procedure for how you are going to deal with them. Response may be as simple as contacting the customer for further verification; or Response could include notifying law enforcement officers GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary If you are a creditor as defined above, then Administer and Update your “Red Flags” program Proper training of all personnel is required Periodic review of your “Red Flags” program is required Board of Directors must write and administer the “Red Flags” Program – or A Senior Executive (e.g. credit manager) may be designated as the responsible person to write and administer the program. GSCFM 2014
FEDERAL TRADE COMMISSION’SRED FLAGS RULEin Summary If you are NOT a creditor as defined above, then If your company sells on a purely B2B basis Your company does NOT have to comply with the “Red Flags” Rules GSCFM 2014