The New Identity Theft Red Flags Rule: Does it Raise “Red Flags” for Information Security?

First, the agencies define “identity theft” according to FTC guidelines:  “a fraud committed or attempted using the identifying information if another person without authority.”  By this definition, any name or number that can be used-alone or in combination with other information-is a potential target of identity theft.  Thus, the unauthorized disclosure or stealing of an individual’s name, social security number, date of birth, biometric data, PIN (such as an ATM PIN), password, or telephone number is a precursor to possible identity theft.

The Red Flags Rule is directed toward financial institutions and creditors who maintain “covered accounts.”  According to the agencies, a covered account is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.  

Thus, “covered accounts” include a very broad spectrum of services.  Most obviously, the kinds of accounts provided by retail banks to individual customers-checking and savings accounts, IRAs, loan accounts-are included.  But the rules would also encompass any other account that permits “multiple payments or transactions,” such as accounts maintained at automobile dealerships, cell phone service providers, cable TV companies, and department stores.  Each of these businesses, according to the Red Flags Rule, must now establish a written program to prevent and mitigate identity theft.  Thus, the scope of the Rule extends well beyond retail banking institutions.

Post a Comment

Your email is never published nor shared. Required fields are marked *