Transcript Slide 1

What we will cover the next few minutes
 The Problem of Identity Theft
• What ID Theft is in reality
• Laws related to ID Theft that punish
your business
 Best Answer to Problem
• Layered Protection
• ID Theft Program and Training
• Implementing reasonable steps at little or
No Cost that will lower your risk and
minimize your exposure
BLR: Business and Legal Reports
BY: Douglas, Hottle, Meyer, Unkovic & Scott
“A rise in identity theft is presenting businesses with
a major headache”, Employers are being held
liable for identity theft that occurs in the
workplace.
Identity Theft is the misuse or fraudulent use of an individual’s
personal information. Unfortunately for employers, personal data such
as social security, drivers license and bank account numbers is precisely
what is contained in HR files, a goldmine for ID thieves.
ID Thefts Prevalent at Work
With the workplace being the site of more than half
of all identity thefts, ... executives must "stop
thinking about data protection as solely an IT
responsibility“. More education is necessary.
– Human Resource Executive May 2007
Five Common Types of
Identity Theft
Drivers
License
Social
Security
Medical
Character/
Criminal
Financial
Identity Theft is not just about Credit Cards!
It is a Legal Issue!
ID Theft is an international crime and access to an attorney may be critical
Where the law becomes logical
Once the credit systems
accept bad data it can be
next to impossible to clear.
USAToday June 5, 2007
Medical identity theft can
impair your health and
finances… and detecting
this isn’t easy… and
remedying the damages can
be difficult.
WSJ Oct 11, 2007
Because it is so overwhelming to correct the victims’ records it
is imperative for businesses to protect the data.
The Cost to Businesses

Employees can take up to 600 hours, mainly during
business hours, to restore their identities

“If you experience a security breach, 20 percent of
your affected customer base will no longer do business
with you, 40 percent will consider ending the
relationship, and 5 percent will be hiring lawyers!”*

“When it comes to cleaning up this mess, companies
on average spend 1,600 work hours per incident at a
cost of $40,000 to $92,000 per victim.”*
*CIO Magazine, The Coming Pandemic,
Michael Freidenberg, May 15th, 2006
Why should all businesses, corporations,
schools, financial institutions, hospitals and
governmental bodies be concerned about
Identity Theft, FACTA-Red Flag Rules, GLB
Safeguard Rules, and State Legislation?
Answer: Liability, both civil and criminal.
Important Legislation

FACTA-Red Flag Rules

Fair Credit Reporting Act

Gramm, Leach, Bliley Safeguard Rules

Individual State Laws (i.e. NCITPA &
Texas Whistle Blower Statute)
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Fair and Accurate Credit
Transactions Act (FACTA)
(New rules are substantive and impose additional new requirements effective January 1, 2008)
Applies To Every Business And Individual Who Maintains, Or
Otherwise Possesses, Consumer Information For A Business
Purpose.
Employee or Customer information lost under the wrong set of
circumstances may cost your company:




Federal and State Fines of $2500 per occurrence
Civil Liability of $1000 per occurrence
Class action Lawsuits with no statutory limitation
Responsible for actual losses of Individual ($92,893 Avg.)
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
FACTA-Identity Theft Red Flag Rules
(Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)
ESTABLISHMENT OF AN IDENTITY THEFT PREVENTION PROGRAM

Must develop and implement a written Identity Theft Prevention Program
(Program).

Must obtain approval of the initial written Program from either its board of
directors or an appropriate committee of the board of directors.

Or if the business does not have a board of directors it must have a
designated employee at the level of senior management. Small Businesses
are not exempt.

The oversight, development, implementation and administration of the
Program must be performed by an employee at the level of senior
management.
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
FACTA-Identity Theft Red Flag Rules
(Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)
TRAINING OF STAFF TO EFFECTIVELY IMPLEMENT THE PROGRAM

A Culture of Security must be established at all businesses.

Personally Identifiable Information (PII) such as Social Security numbers,
drivers license numbers, etc., must be protected as if they were loose cash
because the loss of PII can be more devastating then the loss of cash, since
cash can be replaced.

All staff who could possibly have access to PII within or without the
business must be trained so that they understand why the information
needs to be protected and that there are legal consequences for not doing it.
This is necessary to effectively implement an identity theft prevention
program.
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
FACTA-Identity Theft Red Flag Rules
(Effective Jan. 1, 2008; Mandatory compliance by Nov. 1, 2008)
SERVICE PROVIDERS AND SUBCONTRACTORS

Liability follows the data.

A covered entity cannot escape its obligation to comply by outsourcing an
activity. Businesses must exercise appropriate and effective oversight of
service provider arrangements.

Service providers and contractors must comply by implementing
reasonable policies and procedures designed to detect, prevent and
mitigate the risk of identity theft

Additionally contractors with whom you exchange PII are required to
comply and have reasonable policies and procedures in place to protect
information.
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Fair Credit Reporting Act (FCRA)
If an Employer obtains, requests or utilizes consumer
reports or investigative consumer reports for hiring
purposes/background screening, then the Employer is
subject to FCRA requirements.
www.ftc.gov/os/statutes/031224fcra.pdf
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
Gramm, Leach, Bliley
Safeguard Rules
Eight Federal Agencies and any State can enforce this law
Applies To Any Organization That Maintains Personal
Financial Information Regarding Its Clients Or Customers
Non Public Information (NPI) lost under the wrong set of
circumstances may result in:




Fines up to $1,000,000 per occurrence
Up to 10 Years Jail Time for Executives
Removal of management
Executives within an organization can be held accountable
for non-compliance both civilly and criminally
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
FACTA-Red Flag Rule & Gramm,
Leach, Bliley Safeguard Rules
Applies to any Organization Including :
 Financial Institutions*
 Brokers
 School Districts
 Car Dealers
 Credit Card Firms
 Accountants
 Insurance Companies
 Financial Planners
 Lenders
 Real Estate Agents
*The FTC categorizes an impressive list of businesses as FI and these so-called
“non-bank” businesses comprise a huge array of firms that may be unaware they are
subject to GLB.
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
FACTA Red Flag Rules and the
GLB Safeguard Rules
Require businesses to:

Appoint in writing an Information Security Officer.

Develop a written ID Theft protection plan & policy to
protect Non-Public Information for employees and
customers.

Hold mandatory training for employees who have access
to Non-Public Information.

Oversee Service Provider arrangements
Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You
FTC Guide
Protecting Personal Information
A Guide For Business
Suggests that companies should;
“Create
a culture of security by
implementing a regular schedule of
employee training” (pg 17)
“Ask
every employee to sign an
agreement to follow your company’s
confidentiality and security standards
for handling sensitive data” (pg 16)
ABA Journal
March 2006
“We’re not looking for a perfect system,’ Broder says. ‘But we
need to see that you’ve taken reasonable steps to protect your
customers’ information.’”
- “Stolen Lives”, ABA Journal, March 2006
Law Firms Are Trolling for Victims
Instead of losing our
identities one by one,
we're seeing criminals
grabbing them in massive
chunks -- literally millions
at a time.
Do you suspect that a large
corporation or your employer
has released your private
information (through an
accident or otherwise)? If you
are one of many thousands whose
confidential information was
compromised, you may have a
viable class action case against
that company. Contact an
attorney at the national
plaintiffs' law firm of Lieff
Cabraser to discuss your case.
Lieff Cabraser defends Americans
harmed by corporate wrongdoing.
Why and How We Help You…

Set up Reasonable Steps To Protect NPI/PII

Help Create a “Culture of Security”

Set up a potential Affirmative Defense

Help Protect employees and customers while
potentially decreasing your company exposure
Affirmative Defense Response System
 We start the compliance process for your Company by
providing templates for the written ID Theft security plan
and the appointment of the security officer.
 To assist your company with compliance issues we will
conduct a mandatory training required by law for your
employees. We will also explain the different types of ID
Theft and show your employees how they can protect
themselves if they become a victim and why their and your
customers’ personal information needs to be protected.
 We do all of this at no direct cost to your company.
What We Do
1. Mandatory Meeting Letter
To All Employees
[Company]
RE:
MANDATORY EMPLOYEE MEETING
PRIVACY AND SECURITY COMPLIANCE PROGRAM AND IDENTITY THEFT
TRAINING
[insert date, time and location]
On [insert date], [company] will host a mandatory employee meeting and training session on identity theft
and privacy compliance. Additionally, as an employee, you will be provided an opportunity to purchase
an identity theft product.
As you know, [company] makes every effort to comply with all Federal Trade Commission guidelines to
protect personal employee, customer and vendor information. As part of our security program, we want to
train all employees on concrete steps to help reduce the risk of security breaches and identity theft.
This program is important to [company] and your attendance is mandatory. I look forward to seeing each
of you there on [date].
Sincerely,
[Company] CEO
What We Do
2. Appointment of Security
Compliance Officer
February 1, 2008
[insert employee designee]
RE: Appointment of Security Compliance Officer
Dear [employee]:
As part of [Company’s] comprehensive information security program, we are
pleased to appoint you as Security Officer. As Security Officer you will be
responsible to design, implement and monitor a security program to protect the
security, confidentiality and integrity of personal information collected from and
about our employees, consumers and vendors.
As Security Officer you will help [Company] identify material internal and external
risks to the security of personal information; design and implement reasonable
safeguards to control the risks identified in the risk assessment; evaluate and adjust
the program in light of testing results; and continuous monitoring of the program and
procedures.
As Security Officer, [Company] will provide you access to training courses and
materials on a continuing basis.
Thank you for your commitment to [Company].
Sincerely,
[Company]
Chief Executive Officer
What We Do
3. ID Theft Plan and Sensitive and
Non Public Information Policy
(First of nine pages)
SENSITIVE and NON PUBLIC INFORMATION POLICY
1. PURPOSE
The company adopts this policy to help protect employees, customers, contractors and the company from
damages related to loss or misuse of sensitive information. This policy will:
 Define sensitive information
 Describe the physical security of data when it is printed on paper
 Describe the electronic security of data when stored and distributed
2. SCOPE
This policy applies to employees, contractors, consultants, temporaries, and other workers at the company,
including all personnel affiliated with third parties.
3. POLICY
3.1.
Definition of Sensitive Information
Sensitive information includes the following items whether stored in electronic or printed format:
3.1.1.
Personal Information - Sensitive information consists of personal information including,
but not limited to:
3.1.1.1. Credit Card Information, including any of the following:
 Credit Card Number (in part or whole)
 Credit Card Expiration Date
 Cardholder Name
 Cardholder Address
What We Do
4. May Reduce Company Losses
In the event of a data breach, we may help mitigate potential losses for your company.
Our program may reduce your exposure to litigation , potential fines, fees and
lawsuits. We will train and offer your employees a payroll deduction benefit that
includes
Life Events Legal
Plan &
Legal Shield
 Credit
 Full
Monitoring
Services
Monitoring,
Restoration and
 Access
to Legal Counsel
Restoration Services
which means employees who participate in this program may reduce your
company’s exposures. The majority of the time in restoring an employee’s identity is
covered by the memberships and not done on company time and/or company expense.
Also, use of our Life Events Legal Plan provides help* that addresses related issues.
* Subject To Terms And Conditions
What We Do
5. Potential Early Warning System
If a number of your employees get notified of improper
usage of their identities, this may act as an early warning
system to your company of a possible internal breach
which could further reduce your losses.
What We Do
6. May Provide an Affirmative Defense
BLR says this “Provides an Affirmative
Defense for the company.”
“One solution that provides an affirmative defense against
potential fines, fees, and lawsuits is to offer some sort of identity
theft protection as an employee benefit.
An employer can choose whether or not to pay for this benefit.
The key is to make the protection available, and have a
mandatory employee meeting on identity theft and the protection
you are making available, similar to what most employers do for
health insurance … Greg Roderick, CEO of Frontier Management,
says that his employees "feel like the company's valuing them more,
and it's very personal."
Business and Legal Reports, January 19, 2006
What We Do
7. Provide Proof You Offered A
Mitigation Plan – Check Off Sheet
Identity Theft Protection and Legal Services
As an employee of ______________________________, located in _________________________, I acknowledge that a Pre-Paid Legal
Services, Inc., independent sales associate made available to me the Identity Theft Shield and a Pre-Paid Legal Services, Inc. membership.

Identity Theft Shield:
o Initial credit report and guide on how to read the report
o Continuous credit monitoring
o Identity restoration in the event of a theft

Pre-Paid Legal Services Plan:
o Preventive legal services provided through a network of independent provider attorney law firms in each state and province
o Phone Consultation with Attorneys/Review of Documents/Phone Calls and Letters for any legal matter and issues regarding
identity theft including concerns regarding my: 1) drivers license, 2) medical information, 3) social security number, 4)
character/criminal identity, and 5) my credit identity and information
o A Will for me and my spouse
o Motor vehicle moving violation representation
o Trial defense
o IRS audit
o Legal Shield 24 hours a day, 7 days a week when arrested or detained
o Discounted rate for other legal services
I have seen and read the brochures listing the specific benefits, limitations and exclusions of these plans. The company made these benefits
available to me at my expense.
___ I have decided to enroll in both plans.
___ I have decided to enroll in the legal plan only.
___ I have decided to enroll in the Identity Theft Shield only.
___ I have decided not to enroll in either plan.
Name: _____________________________ Date:_______________________
Signature: __________________________ Witness:_____________________
What We Do
8. Mitigating Damages
To potentially protect yourself, you
should have all employees sign this
document…
 It makes Employees aware of their
legal responsibilities to protect NPI
Use of Confidential
Information by Employee
 It serves as proof that handlers of
NPI have completed the mandatory
training required by law
Be Sure To Check With Your Attorney Before Using A Form Such As This
What We Do
8. Continued – This form or one similar
to it is required by the FTC for all employees*
* FTC – Protecting Personal Information A Guide For Business pg 15
Identity Theft: The Next Corporate
Liability Wave Corporate Counsel, March 30, 2005
“Your phone rings. It’s Special Agent Bert Ranta. The FBI is investigating a crime ring
involved in widespread identity theft. It has led to millions of dollars of credit card and loan
losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the
victims, the FBI has discovered where the personal data appear to have come from: your
company. The victims are some of your customers.
Your mind begins to whirl. Are there other customers affected who haven’t been identified yet? Is it
a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of
a class action lawsuit?
You recall reading that each identity theft victim will on average spend $1,495, excluding
attorney’s fees, and 600 hours of their time to straighten out the mess, typically over the course
of a couple of years. For out-of-pocket costs alone that is, say, $2,000 per victim. Multiplying
that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the
victims’ time and you get $11,000 per case or a total of $110 million in total even before fines
and punitive damages are considered. And that’s on top of the potential impact on your
company’s future sales.
The nation’s fastest growing crime, identity theft, is combining with greater corporate accumulation
of personal data, increasingly vocal consumer anger and new state and federal laws to create
significant new legal, financial and reputation risks for many companies.”
Disclaimer
1.
The laws discussed in this presentation are, like most
laws, constantly amended and interpreted through
legal and social challenges. You are encouraged to
review the laws and draw your own conclusions
through independent research.
2.
The instructor is not an attorney, and the information
provided is not to be taken as legal advice.
3.
The Affirmative Defense Response System provides
compliance training, but your particular program
must be tailored to your businesses size, complexity,
and nature of its operation. Be sure to check with
your attorney on how these laws may apply to you.
Legal Advisory Council
Mike Moore
served as
Attorney
General of
Mississippi
from 1988 to
2004.
Grant Woods
served as
Attorney
General of
Arizona from
1991 to 1999.
Andrew Miller
served as
Attorney
General of
Virginia from
1970 to 1977.
Duke Ligon is
Senior VP &
General
Counsel for
Devon Energy
Corporation.
The Advisory Council was established to provide quality counsel and advice regarding the
marketing to employee groups.
Thank You