Protecting Your Clients' Business and Personal Info
Red Flags Rule
Whether your business is a Fortune 500 company or a one-man show, data security needs to be a top priority. Small and medium-sized businesses are becoming more frequent victims of data breaches, whether through their own negligence or the efforts of a malicious attack.
Unfortunately, it often takes a loss to recognize the importance of data security. The potential of losing the financial or personal information of just one customer should be enough to re-evaluate data policies and procedures in order to prevent such incidents. Don’t let your business be a victim – take a proactive approach to data security by properly securing your data and protecting your exposure.
In the unfortunate event that your organization experiences a data breach, there are a number of costs your business could incur, such as:
- Investigating and fixing the cause of the security breach
- Notifying those whose information was compromised
- Providing credit watches for the victims
However, the loss of your client’s trust and the resulting loss of business could affect your organization the most.
Considering all factors, research conducted by the Ponemon Institute estimates the cost of a data security breach to be around $214 per compromised record. In total, the cost of a single data breach incident averages around $7.2 million.
In 2008 the Federal Trade Commission (FTC) created and implemented the Red Flags Rule. The rule applies to certain businesses, requiring them to have a written identity theft prevention program in place. The rule was enacted to address the large number of identity theft incidents that happen in the United States due to data security breaches.
The two types of businesses required to abide by the Red Flags Rule are financial institutions and creditors. Financial institutions include:
- Savings and loan associations
- Credit unions
- Any other business that directly or indirectly holds customer transaction accounts
The FTC defines creditor as:
- Businesses and organizations that regularly provide goods or services first and then collect payment from customers later
- Businesses and organizations that regularly grant loans, arrange for loans or the extension of credits or make credit decisions
- Businesses and organizations that regularly participate in the decision to extend, renew or continue credit, including setting the terms of credit
- This broad definition of creditor includes many technology-based companies
The Red Flags Rule requires that financial institutions and creditors with covered accounts have a written identity theft prevention program. A satisfactory written identity theft prevention program should:
- Identify red flag activity (patterns, practices and specific forms of activity) that indicate possible identity theft
- Integrate red flag detection in business practices
- Define the appropriate response to take to prevent and mitigate identity theft if a red flag is detected
- Be periodically reviewed and updated to reflect changes in risks from identity theft
Risk management analysis and planning is still the best way to mitigate exposures, whether they are physical or digital. Having a written identity theft prevention program is an excellent way to address the potential threat of data breaches leading to identity theft. The ‘A’ Team is here to help – contact us today.
- Cyber Liability E-Book
- Big Data= Big Responsibility
- Data Security Breaches Webinar Replay
- Data Security Breaches- Not Just for Dot. Com Companies
- Risk Management Overview Webinar
ABOUT THE AUTHOR