For individuals, identity theft typically involves a modest financial loss and a large headache in denying that they purchased high-end home-theater systems and custom Jaguars.
For a company, the consequences are more dire. TJ Maxx, the poster child for mass credit-card theft, estimated the overall cost for its infamous 2007 data breach at $256 million. According to a February 2011 study from Javelin Strategy & Research, a financial-services research firm, there were 8.1 million identity-fraud victims in the United States last year, and the amount of associated fraud reached $37 billion. Out-of-pocket costs for an average victim increased 63%, to $631, compared with $387 in 2009.
No wonder Congress stepped in. In 2008, it passed the Identity Theft Red Flags Rule, which then went unenforced as lobbying groups and Congress hashed out some details. As of December 31, 2010, however, the rule is in full effect, and companies in many industries must pay heed.
The rule requires a wide range of businesses and organizations to implement a written identity-theft prevention program to identify and detect the warning signs — or “red flags” — of identity theft and respond appropriately to prevent and mitigate the crime.
The question of which businesses must comply has been the subject of some confusion, but at this point the rule applies not only to financial institutions but to all businesses that obtain or use consumer credit reports in connection with a credit transaction; furnish information to consumer-reporting agencies in connection with a credit transaction; or advance funds to (or on behalf of) a person, based on an obligation of that person to repay the funds or make them repayable from specific property pledged by, or on behalf of, the person.
That means that companies from auto dealerships to retail chains to telecoms and utilities may have to spell out their battle plans for identity theft. According to the Federal Trade Commission (see more at www.ftc.gov/redflagsrule), compliance with the program must include four basic elements:
- reasonable policies and procedures to identify the red flags of identity theft (which can include everything from suspicious patterns and activities to potentially fake IDs);
- processes to detect and alert the company to the red flags identified;
- listings of actions the company will take when red flags are detected;
- periodic reevaluation to address new risks.
The program must also include training for all staff, including subcontractors. The board or the top-level executive must approve the first written program, which must include a statement about who bears responsibility for implementing and administering it.
Although the rule does not mandate specific practices or procedures, companies that fail to comply with the rule may be subject to fines. Whether they are subject to an actual reduced risk of facilitating identity theft remains to be seen.