The New Identity Theft Red Flags Rule: Does it Raise “Red Flags” for Information Security?

On May 10, 2006, President Bush signed an Executive Order creating the nation’s “first ever” Identity Theft Task Force.  The purpose of this ad hoc committee, chaired jointly by the Attorney General and by the Chair of the Federal Trade Commission (FTC), was “to help law enforcement officials investigate and prosecute identity thieves, educate consumers and businesses on ways they can protect themselves, and increase the safeguards on personal data held by the Federal government.”

Less than a year later, the Task Force produced its final report, Combating Identity Theft:  A Strategic Plan.  Approximately 20% of the pages comprising the largest chapter, “Strategy to Combat Identity Theft,” were devoted to issues concerning information security, including material pertaining to data breaches in the private and public sectors.  In addition, the report discusses many topics familiar to information security professionals:  theft of sensitive documents, dumpster diving, hacking, phishing, spyware, pretexting, and stolen media (such as laptops) containing data that promote identity theft.

At approximately the same time that the Task Force was drafting its Strategic Plan, six federal agencies-the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the FTC-were developing a new set of regulations also intended to reduce the threat of identity theft.  Their final rules, formally titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003,” was issued on October 31, 2007, and will take effect on November 1, 2008.

Post a Comment

Your email is never published nor shared. Required fields are marked *