Wednesday, October 29, 2008

Red Flag Rules - The New Deadline

For the people that are not privy to the next deadline, there is one coming up this week. On November 1st, there are three rules that are coming into play from the federal government - like we didn't have enough already to deal with!

Let me give a little background to this first.

The Fair and Accurate Credit Transactions Act (FACT Act or FACTA) was passed back in 2003 to try and get a better handle on identity theft - both on the monitoring and potential prevention on the matter. The FACT Act amended the previous passed Fair Credit Reporting Act (FCRA) that was passed way back in the 1970s. To put a little context to it, FACTA is the law that allows people to get a free credit report once a year from the credit trio (Equifax, Experian, and TransUnion).

One of the sections that were included within the FACT Act was three requirements for businesses to comply with regarding protecting identity theft. These are better known as the Red Flag Rules.

The Rules

The Red Flag Rules have three primary sections to it but I'm going to be focusing on the first and broadest applicable area: implementing an Identity Theft Prevention Program.

As part of the new regulation, companies are now obligated to develop and maintain a Identity Theft Prevention Program. Well what does that mean actually? According to the FTC, they have to include "reasonable policies and procedures for detecting, preventing, and mitigating identity theft". Additionally you need to make sure they enable companies to:

1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.

Who needs to be compliant?

Since this is a law, the applicable entities are wide spread. As defined by the law, this applies to all businesses that have "covered accounts". Covered accounts are any accounts that include foreseeable risk of identity risk. This could include credit cards, monthly-billed account like utility bills, cell phone bills, social security numbers, drivers’ license numbers, medical insurance accounts, and possibly others. Obvious that it would be a shorter list to come up with the businesses that are not affected by these rules.

How do you become compliant?

Well that's the magic question!

As of right now, there is nothing of a measurement to what is sufficiently compliant and what is not. Of course since this is a regulatory law, the actual controls dictated are very general in nature; giving broad programs that needs to be in place within the organization.

The best advice to accomplishing this is to follow general security guidelines. Some important components to include are: policies and standards, incident response program, security incident and event monitoring (SIEM), and strong logical controls within your environment. Following frameworks and guidelines, like with the ISO 27001 or NIST 800-53, can give you guidance in developing the programs and controls as well.

So who's to enforce the law?

Since this is a federal business law, this primarily falls under the Federal Trade Commission (FTC) - though there are provisions that the National Credit Union Administration (NCUA) and Federal backing agencies can also enforce this. Does this mean that they are going to be performing audits against companies - unlikely, but that doesn't mean they will not investigate organization based upon reported incidents. In the infamous case of TJX, once the information from the breach was made public the FTC came in and actually mandated controls be put in place. This includes audits on a bi-annual basis and maintaining a "comprehensive information security program".

In the end, this just strengthens the need for organizations to develop an Enterprise Security Programs (ESA) within organizations. Even though this is yet another law, bringing with them the generic mandates to companies, performing best practices and continually assessing and improving your security program will be more than enough to include these added rules.


Read more!