Industries

Failure to properly monitor adverse action letters, and privacy notice records (especially on dead-on-arrival deals), is one of the biggest area of compliance improvement needed at most dealerships I visit. As part of an identity-theft-prevention-program, insuring proper signature of a privacy notice and credit application is vital, as is control of the adverse action letters.

Ask the dealer principal or GM about this, and invariably their stock answer is that it’s being taken care of. However when pressed for honesty, the finance director and desking manager usually paint a different picture. Internet sales departments, in particular, are prone to compliance mismanagement in this area.

In this FTC link, a subsidiary of Equifax settled with the FTC for $350,000 on charges that it failed to provide adequate disclosures.

Under the Fair Credit Reporting Act, the company allegedly failed to provide, “ ‘Notice to Users of Consumer Reports: Obligations of Users Under the FCRA,’ which notifies users of consumer reports of their statutory obligations, including notifying individuals if the user takes adverse action against them based on their consumer report,” as well as other related disclosures.

One scam I’ve seen involves grifters with incredibly bad scores going around to dealerships filling out apps knowing in advance that the special finance department can’t help them. Their app is a dead deal (or DOA), and a disgusted desking manager throws the signed privacy notice into a cardboard box. The frustrated sales person may likewise do something foolish with the deal jacket.

The grifter then returns in about six to eight months and claims he never authorized the dealership to pull his or her credit report. Since it was a dead deal, the dealership may or may not be able to find the signed privacy notice or application or a Xerox copy of the driver’s license- thereby being unable to provide evidence that the grifter had indeed been at the store and authorized the pull; and the store management is left with the open question as to what the grifter wants and what it will take to get rid of him or her.

For the third time, the FTC is delaying enforcement of the Red Flags Rule in order to give businesses time to learn about and become compliant with the Rule.  The FTC is also stepping up their outreach and education efforts.  Enforcement is slated to begin on Nov 1st, 2009, fully one year after the original deadline.

From the FTC’s press release:

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

The release specifically mentions health care providers and a request from Congress, so it seems that the AMA has had more luck lobbying Congress directly than it did going straight to the FTC.

That said, the FTC is correct when they state that their hands are effectively tied on this matter; Congress defined “creditor” almost to the point where it means “every business, non-profit, or any other organization that ever comes in contact with money” (exaggerating a bit) and it is up to Congress to revise it. In mandating that organizations facing very little risk from or of identity theft follow the Red Flags Rule, they diminish the impact of the Rule, and harm organizations like car dealerships, which really are at risk.

UPDATE:  The Wall Street Journal has a story on the delay (subscriber article):

Implementation of an identity-theft program entails certain research and training expenses. Failure to comply may subject a company to penalties of up to $3,500 per violation. But Nicholas Economidis, an underwriter for Beazley Group, said that “failure to comply will increase a company’s exposure to negligence claims.” Beazley, based in London, provides companies with identity-theft and data-theft insurance.

American Bar Association President Thomas Wells Jr. plans to file suit against the FTC by the end of the week if the FTC does not drop its plan to enforce the Red Flags Rule starting August 1st. The ABA contends that the FTC has no right to regulate the legal profession (and in fact the ABA won a lawsuit to that effect in 2005) and that lawyers should not be subject to the Red Flags Rule:

The ABA’s current beef with the FTC is defining lawyers as creditors.

In June, Wells issued a statement urging the FTC to exclude lawyers from the regulations, known as the “Red Flags Rule,” which require businesses and organizations that act as creditors to establish programs for preventing identity theft.

“The FTC has taken the position that professionals like lawyers, who regularly bill their clients for services after those services are rendered, are creditors under the ECOA,” Wells says.

That is almost identical to the AMA’s main argument - that doctors who bill after services rendered are not creditors - which we covered here. It will be interesting to see how this plays out.

For car dealers, there is no question as to whether they are subject to the Red Flags Rule since they are specifically mentioned in FACTA. There may be another delay in enforcement, though, as the FTC sorts out requests from Congress, which, predictably, is under pressure from lobbyists such as the ABA and AMA.

The FTC responded to the American Medical Association’s stance that the Red Flags Rule should not apply to physicians and related health care providers.  That’s right - your trusty GP must have an Identity Theft Prevention Program.  In the FTC’s letter to the AMA, the FTC acknowledges that, yes, doctors take a confidentiality oath, and yes, there’s HIPAA, but that does not cover the “respond to and mitigate identity theft” provision of the Red Flags Rule.  In other words, they focus on two scenarios:

• The doc suffers a data breach and patient data is exposed when it shouldn’t be.
• A thief tries to someone else’s data to fool the doc, thus potentially exposing a real person to the perils of false entries in their medical records or false insurance billing.

To address these scenarios, the FTC suggests that for smaller doctors offices, which are presumably low risk, checking a drivers license and determining what to do if notified of identity theft involving the office would be sufficient.

The city of Sallisaw rolled out their Red Flags Program and issued a public announcement about it so their customers know what to expect. (While municipalities are not subject to the Red Flags Rule, utilities are).

Before rolling out your program, take a page from Sallisaw’s book and make every effort to set customer expectations in advance.

A Denver area man bought the contents of a storage unit at auction, and discovered file cabinets full of hospital records, drivers licenses, passports, birth certificates, etc. After the police declined to intervene, he turned them over to a local news station.

This case raises an interesting question that is very pertinent to the Red Flags Rule (although the hospital appears to have been operating under HIPAA guidelines). What if your company was contacted by a news outlet claiming that your customer records had been stolen? According to the rule, your written Red Flags Identity Theft Prevention Program should include a section on how your company will “Prevent and Mitigate Identity Theft”.

In English, that means you should determine what your company will do in response to an identity theft -related incident. The incident could be anything from one of your Red Flags being triggered (e.g., someone tries to use a fake ID and your employee spots it) to a laptop being stolen to a notice, as in this case, that identity theft has occurred.

From the article, here’s how the hospital handled it:

After 9NEWS alerted St. Anthony Central about the patient records found in the storage unit, the hospital investigated. Within 48 hours, the hospital says it tracked down the employee who accessed the hospital records.

“This particular associate was confronted with this and the associate immediately confessed to the fact that they indeed had taken this information outside of our organization,” said St. Anthony Central CEO Peter Makowski. “We are very, very regretful that this ever took place.”

The hospital fired her last week. She had been an employee at the hospital for five years and passed a criminal background check and compliance tests, according to St. Anthony Central.

Records show the 150 patients whose stolen documents were found in the storage unit were admitted in the hospital during a six month period between 2007 and 2008.

The hospital is offering patients a free identity-theft protection service. You can read more about that at http://centura.mediaroom.com/index.php?s=43&item=338.

The hospital said it has contacted the Office for Civil Rights with the U.S. Department of Health and Human Services about the breach. The department investigates HIPAA privacy law violations.

The hospital also said it’s increasing the number of patient medical record system audits and educational efforts.

Kudos to the hospital for their response, the gentleman who found the stolen identities, and the reporters who followed up on the story.

The Secret Service says that credit card and other personal information from up to 17,000 customers was stolen from three San Antonio hotels:

“The stolen accounts of hundreds of people already have been used to make fraudulent credit cards, which then were used to make purchases at area retailers, court records show…
[In the suspect's hotel room] officers found a cache of paraphernalia used in the production of credit cards…officers also found in the room Wal-Mart gift cards with logos of Mastercard or Visa that were in various stages of alteration, label makers, laptop computers, dry transfer decals and ink stamps.

You may be surprised to learn that fake physical credit cards are somewhat common; stolen credit card account information is not just used for online purchases. The magnetic strips on the back just hold the account information; in fact an enterprising group of criminals in Las Vegas imprinted stolen credit card data onto the back of discarded or stolen hotel room keys and the “credit cards” were then used for local purchases.

There are two takeaways here, which should be documented in your written Red Flags Identity Theft Prevention Program:
- Make sure you store customer data securely. If you don’t need to retain credit card numbers, don’t. I hate to think about the calls those three hotels are getting right now.
- If you accept credit cards, make sure your employees check IDs and actually look at the card being used.

Arrrgh.

The Veterans Affairs Department agreed Tuesday to pay a total of $20 million to veterans for exposing them to possible identity theft in 2006 by losing their personal information….The case began after a laptop computer was stolen in a burglary at the Maryland home of a department data analyst. The laptop and an external drive contained data that the analyst had taken home without permission, including the names, birth dates and Social Security numbers of up to 26.5 million veterans and active-duty service members.

Does your company have a policy on what type of data is accessible from where? Can you copy anything and everything about your customers onto a thumb drive? If you don’t like the answers to those questions, here’s a good reference for you. The SANS Institute has more policy samples and computer security information than you can shake a stick at.

Or of course, you could have us do it. Just sayin’.