FM Boston Radio

In late 2007, the Federal Trade Commission (“FTC”) issued its “Red Flags” rule, which imposes identity theft regulations on a class of businesses that the FTC defines as “Creditors.” Many businesses are not aware, however, that the FTCâ??s expansive definition of Creditor sweeps into the Red Flags rule a broad array of industries, including professional services providers (for example, accounting and law firms), small businesses, non-profits, and retailers of goods. In fact, the FTC estimates that over 11 million businesses are covered by the new rule. The FTC will enforce its identity theft “Red Flags” rule beginning May 1, 2009.[1]

* * *

The “Red Flags” rule (found at 16 C.F.R. § 681) requires any “Financial Institution” or “Creditor” that offers or maintains “Covered Accounts” to develop written identity theft prevention and detection programs to identify, detect, prevent, and respond appropriately to identity theft Red Flags. “Red Flags” are patterns, practices, or specific activities that indicate possible identity theft; for example, when a customer complains about a bill for goods or services the customer claims never to have received.

A “Creditor” is a person who “regularly extends, renews, or continues credit,” including the right to purchase property or services and defer payment. The FTCâ??s current interpretation of “Creditor” is very broad. According to one FTC attorney, a Creditor includes anyone who regularly provides goods or services without requiring immediate payment. Both for-profit and non-profit entities may be affected. In fact, a company or organization may fall into the category of a Creditor that offers or maintains a Covered Account simply by permitting customers to pay for services by means of payment plans or monthly invoices. Although certain industry groups have challenged the FTCâ??s broad interpretation of the term “Creditor,” to date, the FTC has not issued an exception for any particular industry.

A “Covered Account” is also defined broadly, and includes “(1) [a]n account . . . primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions . . ., or (2) [a]ny other account . . . for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

If a business is a Creditor, it must periodically determine whether it offers or maintains Covered Accounts. Although a “one-time” transaction (such as a typical retail sale) might not constitute a Covered Account, a customer account that provides for multiple transactions or payments and results in debt probably does. If a Creditor determines that it offers or maintains Covered Accounts, the Creditor must institute an identity theft prevention and detection program to address the risks of identity theft. The program must include reasonable policies and procedures to (1) identify Red Flags and incorporate them into the program, (2) detect and respond appropriately to Red Flags, and (3) periodically update the program. In addition, a Creditor must ensure that its third-party service providers have reasonable programs for detecting, preventing, and mitigating the risks of identity theft associated with the Creditorâ??s Covered Accounts.

Fortunately, the Red Flags rule is risk-based and allows for “flexible implementation.” Thus, a Creditor should utilize policies and procedures that are “reasonable” and “appropriate” in light of the Creditorâ??s activities, the types of Covered Accounts at issue, and the relative risk of identity theft. The FTC has stressed that identity theft programs do not necessarily need to be complex or technology-driven. In fact, a Creditor may incorporate its already-existing policies, procedures, and technology. Some procedures may be as simple as checking a personâ??s identification before opening a new customer account. The FTC does not expect that the Red Flags rule will present a substantial burden for a Creditor that is not subject to significant identity theft risk, for example, a Creditor that does not maintain sensitive customer information. The FTC also does not expect the rule to present a significant burden for a Creditor that has already instituted policies and procedures to address identity theft risk.

Pending further guidance from the FTC, businesses should carefully consider whether they are subject to the Red Flags rule and, if so, what their compliance obligations will be. It should be understood, however, that in all cases the FTC requires that a Creditor have a written identity theft program that has been initially approved by the Creditorâ??s board of directors or an appropriate board committee, and that subsequent development and administration of the program take place at a board or senior management level.

Be Mindful of Changing Requirements. With identity theft becoming an increasing concern in virtually all industries, businesses that maintain or process sensitive customer information (such as social security or credit card numbers) should carefully assess their policies and procedures for protecting customer information. In addition, businesses that operate in multiple states should be aware that most states, in addition to the FTC, have statutes and regulations regarding identity theft. For example, over forty states, including Maine, require businesses to take certain steps, such as notification, when a data breach has compromised certain customer information.

Recently, the State of Massachusetts issued even stricter regulations, requiring businesses to develop “comprehensive information security programs” to protect personal information such as social security, driverâ??s license, and financial account numbers. These regulations, found at 201 C.M.R. § 17.00, are not limited to Massachusetts-based businesses. Rather, they apply broadly to persons “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Massachusetts is requiring compliance with these regulations by January 1, 2010.

Conclusion. Businesses that use or maintain personal information susceptible to identity theft should be mindful of this rapidly evolving area of law, and they should consider seeking assistance from legal counsel to determine how best to comply with state and federal requirements. If you have questions regarding the effect of laws related to identity theft on your business, such as the Red Flags rule, please contact an attorney in the Business Law Group at Verrill Dana, LLP.

For further information please contact the Verrill Dana attorney listed below:
Alistair Y. Raymond
Business Law Group (araymond@verrilldana.com)

Possibly related posts: (automatically generated)

• Related posts on Approaches
• Proven Approaches On Forex Trading | Forex Trading Systems
• Web Analytics- Gist And Its Approaches | Jobs,Business,Finance

Bookmark To

Massachusetts MGL93H or 201CMR17 have  not been widely publicized despite originally being scheduled to go into effect on January 1, 2009 and many small business owners that I talk to each day in Massachusetts and around the country have no idea what they are and how they might impact their business in the future, but they will.

How Do These Two Pieces of Legislation Work?

MGL 93H means to define security breaches and regulations for the safeguarding of personal information of any Commonwealth of Massachusetts resident.  While MGL93H sets in fact that there is indeed a law on the books to deal with security breaches, the regulation 201 CMR 17.00 that will go into effect on January 1, 2010 implements the provisions of the law and describes what you need to have in place in order to achieve compliance.

What Does 201 CMR 17 Mean For My Business?

201 CMR 17.00 essentially sets minimum standards for the protection of the personal information of any Massachusetts resident, whether it is stored in paper or electronic format.  This response to the explosion in identity theft is an effort to ensure that anyone that owns, licenses, stores, or maintains information about a Massachusetts resident must follow a set of requirements to protect that data from those that might use it inappropriately or illegally.  What must be considered is if and how these regulations will impact your business.  If you take information about your customers, employees or even contract help (that reside in Massachusetts) such as their name, along with:

Address Social Security number Credit card number Driver’s license information Other state issued identification information

and hold it in paper format or a database for any purpose – then these regulations will affect you and you must take steps to comply.

If you accept credit cards for instance, you will collect either an imprint of the card or the data from the magnetic stripe. With this information you will complete your
transaction and keep a record or at the very least have that data pass through your network to a third party card service provider.   For many business owners the first reaction is I do not save this information, so it does not apply to me.  The potential issue is collecting and transmitting the personal credit card information and the fact that your employees have access to it during the transaction.

If you are located in the Commonwealth of Massachusetts or have employees who reside there and you keep employment applications, a copy of a driver’s license, a personel file or payroll information  on them than 201 CMR 17 applies to you and you must comply.

When I tell this to small business owners their first reaction is more government regulations that will require more technology and more costs that they can not afford right now.  The problem is that your customers are your life’s blood and you need to protect them and their information.  No small business can afford the cost or implications of a data breach.  Aside from the obvious fines that might be imposed by the state and the legal costs and remediation costs associated with a breach, there is an even greater cost, one that could cost your entire business – the trust of your customer and the reputation of your business.

So What Do I Have To Do?

CMR 201 17.00 says specifically that those that own, license, store, or maintain information (in any way) about a MA resident shall develop, implement, maintain and monitor a comprehensive, written information security plan (WISP), applicable to any records containing such personal information. In addition to creating and maintaining a WISP, you will need to identify the components of the program that will include:

Designate one or more employees to maintain the comprehensive information security program. Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information. Develop security policies for employees. Limit the amount of personal information collected. Identify paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, and seven other points that address the duty to protect personal information.

201 CMR 17.00 goes further and describes the methodologies that are expected to be complied with when considering the technology that you use.  In this section of the regulations entitled Computer System Security Requirements, the state has outlined the technology requirements in order to be compliant. These requirements include:

Securing user authentication protocols Securing access control measures such that restrict access to records as well as manage passwords and users. Encrypting data during transmission as well as any data on mobile devices such as laptops and PDAs. Ensuring that there are current versions of security software such as anti-virus on systems. Training employees about information security

The bottom line is that these new regulations not only serve to require that you have a set of policies and proceedures in place for effectively managing your information security, but actually directs you on what needs to be in place for technology compliance.

A great deal of the personal information that is compromised is stolen while stored or transmitted electronically, but this critical data can also be stolen for
the use in committing a crime while stored on paper in a file cabinet or if it has been improperly disposed of in a dumpster. The goal of MA MGL 93H and 201 CMR 17.00 is to change how a business views personal information and takes steps for its proper collection, use, storage, transport and destruction.

Compliance for a small business does not have to be cost prohibitive, but depending on the size and scope of your organization, changes may be necessary.  To learn more about 201 CMR 17 and developing a WISP for your company go to www.201CMR17Solutions.com.

Possibly related posts: (automatically generated)

• Related posts on 201.CMR.17
• The Essential Guide For 201 CMR 17
• Massachusetts Privacy Regulation (201 CMR 17) – Tekexpertise Blog

• Related posts on Business
• » Business Success Through Second Language Learning iPhone supply …

Bookmark To

Some house sitters will do more than just watch your home.  A few will clean, run errands, and take care of pets.  Massachusetts has several companies you can find on line. Having a house sitter will ease your fears, and help prevent your home falling prey to vandals or robbers.

What Thieves Look for

However, these lights come on at the same time every night, and their predictability can tip off thieves.

Hiring a house sitter is a much more effective crime deterrent.

Hire a House Sitter on Wedding Days

Some thieves can make wedding days a nightmare.  It’s all too common for robbers to scour the newspaper for weddings, and look up the addresses of people they know will be occupied all day.  With no one at home, the parents, the bride, or the groom can be victims of a home robbery.

If you or your children are getting married, it’s a good idea to have someone at home on the day of your wedding, just so you can have piece of mind.  A reputable house sitting service is a good option here, since most of your friends and family will be at the wedding.  Asking someone you know who wasn’t invited at to the wedding could be seen as rude.  Hiring a house sitter can preserve any hurt feelings.

Other Pros

House sitters can also guarantee you won’t be surprised by broken water pipes, or other disasters when you return home.  For example, if a storm damages your house while you are away, your house sitter can alert you and help you make proper arrangements for repairs.  This is much better than letting the damage sit for two weeks, only to be discovered when you come home from your vacation.

A house sitter can also keep up appearances at your home, mowing the lawn, collecting newspapers, or trimming your bushes.  You and your neighbors don’t want your home to become unkempt.

What to Look for in a House Sitter

Make sure your houses sitter can provide references.  Using a trusted company with a proven track record is a good way to find house sitter.  Many house sitters will be flexible, perhaps checking in every few days if you don’t want to pay them for the entirety of the time you’re away.  Consider hiring a house sitter for your next vacation!

Bookmark To