The New Identity Theft Red Flags Rule: Does it Raise “Red Flags” for Information Security?

Despite the fact that the FTC was involved in crafting both documents, and that the Task Force members were aware of the agencies’ proposed regulations, and that the drafters of the rules were not oblivious to the existence of the Task Force, it is surprising that the Identity Theft Red Flags Rule barely makes mention of information security.  None of the issues raised in the Task Force report are discussed in the context of the agencies’ rulemaking.  Indeed, the Red Flags Rule does not focus upon the causes of identity theft; rather, it is primarily concerned with preventing identity theft by advocating the adoption of specific business practices intended to prevent theft.

This does not mean, however, that information security professionals can merely ignore the new rules and assume that business units alone must bear the burden of compliance.  Indeed, lurking within the text of these new regulations are several issues that have serious implications for InfoSec staff. 

What is the “Identity Theft Red Flags Rule”?

In past years, federal regulations (such as the guidelines intended to implement Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act) have generally focused upon the privacy and accountability of personal information.  These regulations  are directed toward very specific businesses-especially financial and medical services.  The Identity Theft Red Flags Rule, however, is not intended to safeguard the privacy of customer information; in addition, the scope of its applicability is much broader than previous rules relevant to information security.

Post a Comment

Your email is never published nor shared. Required fields are marked *