SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009.

Slides:



Advertisements
Similar presentations
Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
Advertisements

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Red Flags Rule & Municipal Utilities
Open Records from the OAG Perspective Amanda Crawford Division Chief Open Records Division.
1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,
Identity Theft and Red Flag Rules Training Module The University of Texas at Tyler.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 Massachusetts Digital Government Summit Securing Private.
Data Classification & Privacy Inventory Workshop
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
® 1 New Maryland Team Law Real Estate Teams and Groups.
Detecting, Preventing, and Mitigating Identity Theft
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
2015 ANNUAL TRAINING By: Denise Goff
Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”
Red Flag Rules Training Class SD 428. Red Flag Rules SD 428 The Red Flag Rules course (SD 428) was implemented at UTSA to meet the requirements and guidelines.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Florida Information Protection Act of 2014 (FIPA).
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
© Copyright 2010 Hemenway & Barnes LLP H&B
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
1 Identity Theft Prevention and the Red Flag Rules.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Nassau Association of School Technologists
Protection of CONSUMER information
Florida Information Protection Act of 2014 (FIPA)
Florida Information Protection Act of 2014 (FIPA)
Chapter 3: IRS and FTC Data Security Rules
Privacy & Access to Information
Protecting Personal Information Guidance for Business.
Red Flags Rule An Introduction County College of Morris
Alabama Data Breach Notification Act: What 911 Districts Need to Know
Disability Services Agencies Briefing On HIPAA
Identity Theft Prevention Program Training
Clemson University Red Flags Rule Training
Getting the Green Light on the Red Flags Rule
State of florida tax information sharing Paula Barfield August 5, 2015
Presentation transcript:

SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009

IMPORTANT DATES IMPORTANT DATES State Legislation December 31, 2008 Red Flag enforcement extended to November 1, 2009

SC Financial Identity Fraud and Identity Theft Protection Act One of the two strongest in the nation per SC Dept of Consumer Affairs

Overview of SC Act Consumer Identity Theft Protection 2. Personal Identifying Information Privacy Protection by public bodies 3. Credit and debit card receipts 4. Breach of security of business data 5. Breach of security of state agency data 6. Household garbage privacy 7. Identity fraud (definitions and penalties)

Overview of SC Act 190  Requires a legitimate business purpose to collect personal identifying information  Requires security of this information  Describes proper disposal methods  Requires certain procedures if a breach occurs

What is personal identifying information? First and last name (or first initial) in combination with any one of the following: –social security number; –driver's license number –financial account number or credit or debit card number in combination with any required security code; –other identifying information

Social Security Number State defines social security numbers as containing 6 or more digits. In other words, 5 or less is acceptable.

Unless otherwise stated, a Public Body may not -- Collect a social security # –Unless authorized by law to do so. –Unless the collection is otherwise imperative for the performance of that body’s duties and responsibilities as prescribed by law.

Unless otherwise stated, a Public Body may not -- Collect a social security # (con’t) –Unless the collection is relevant to the purpose collected –Must not be collected until and unless the need has been clearly documented.

Unless otherwise stated, a Public Body may not -- Fail, when collecting s social security number, to segregate that number on a separate page from the rest of the record, or as otherwise appropriate, so that the social security number may be easily redacted pursuant to a public records request.

Unless otherwise stated, a Public Body may not -- Intentionally communicate – or otherwise make available – to the general public an individuals SS# or other personal identifying information.

Unless otherwise stated, a Public Body may not -- Intentionally print or imbed an individual’s SS# on any card required for the individual to access government services.

Unless otherwise stated, a Public Body may not -- Require an individual to use a SS# to access an internet website, unless –a password or –unique personal id number or –other authentication device is also required.

Unless otherwise stated, a Public Body may not -- Require an individual to transmit a SS# over the internet, unless –the connection is secure –or, the SS# is encrypted

Unless otherwise stated, a Public Body may not -- Print a SS# on materials that are mailed to the individual, unless state or federal law requires the SS# on the mailed document. Federal ID #s on Business Licenses Federal ID #s on Business Licenses

What are some public body exceptions? HR Functions HR Functions Administration or provision of employee benefits program Administration or provision of employee benefits program Employment verification purposes Employment verification purposes Claims and procedures related to employment such as termination, retirement, workers’ comp, etc. Claims and procedures related to employment such as termination, retirement, workers’ comp, etc.

What are some public body exceptions? See legislation for other exceptions

What about service providers? Must be necessary for the receiving entity to perform its duties. Must have a business purpose.

What about service providers? The following were specifically named as allowable: Setoff Debt Collection Act Setoff Debt Collection Act Governmental Enterprise AR Collection program Governmental Enterprise AR Collection program

Register of Deeds and County Clerk of Court Overall, required to (1) act reasonably to limit the public posting of personal information; (2) remove personal information from public documents; and (3) advise the public of their rights for this request.

Register of Deeds and County Clerk of Court See for specific requirements of a public notification and for those preparing documents to be recorded or filed in official records.

Credit and debit card receipts Must not print on a receipt provided to the cardholder at the point of sale: (1) more than five digits of the account number AND (2) the expiration date (2) the expiration date

Credit and debit card receipts Violations = misdemeanor with $250 fine for first violation and $1,000 for each subsequent. Knowing and willful violations = Class F felony and must be imprisoned not more than 5 years and fined not more than $1,000, or both.

Proper disposal of business records “When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.” “When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.”

Proper disposal of business records Contracting with a person engaged in the business of disposing of records is considered compliance with SC law.

Proper disposal of business records Penalties for noncompliance Penalties for noncompliance Willful violation = 3x actual damages not more than $1,000 for each incident plus reasonable attorney’s fees and costs Negligent violation = actual damages and reasonable attorney’s fees and costs.

Disposal of Information Technology hardware or storage media Before a public body may transfer or dispose of IT hardware or storage media, all personal and confidential information must be removed and the remaining hardware/media must be sanitized in accordance with standards and policies adopted by the State Budget and Control Board, Division of the State Chief Information Officer.

SC Hardware Sanitization Policy EA1DE8929F16/0/HWSanitizationPolicy.pdf

Two methods of sanitization Physical destruction - crush, shred, incinerate or smelt Digital Sanitation - Deleting files is insufficient. Must use digital sanitization tools such as DataEraser, Sanitizer, SecureClean, WipeInfo, DataGone

Sanitization must comply with Department of Defense requirements for sanitization tools DoD M

Sanitization must comply with National Institute of Standards and Technology’sPublication for sanitization methods.

Sanitization also includes Cell phones Cell phones Other hand held devices (Palm, Treo, etc.) Other hand held devices (Palm, Treo, etc.) Copy machines Copy machines Fax machines Fax machines Flash drives Flash drives Hard drives Hard drives

Disposal of Information Technology hardware or storage media The director or appropriate IT manager of the public body owning or leasing the hardware or storage media shall verify that all personal and confidential information is removed and are sanitized in accordance with those standards and policies before the transfer or disposal is made.

What is a data breach? “…unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, OR

What is a data breach? … the integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.” … the integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.”

What isn’t a breach? “Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.” “Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.”

When must a breach be reported? When personal identifying information has not been rendered unusable through encryption, redaction, or other methods.

When must a breach be reported? When it is reasonably believed to have been acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the individual.

Red Flag Rule is federal legislation under FACTA (Fair and Accurate credit Transaction Act 2003)

Fundamentals I. Develop a Written Program II. Identify Relevant Red Flags III. Detect Red Flags IV. Prevent and Mitigate ID Theft V. Update the Program VI. Administer the Program

One size does not fit all The Red Flags and responses should be appropriate to the level of risk and the size of accounts, etc.

I. Develop a Plan Must be a written plan Must be a written plan Initial plan must be adopted by governing body Initial plan must be adopted by governing body Must assess the risk Must assess the risk Must consider the 26 Red Flags Must consider the 26 Red Flags Must consider past ID theft experience Must consider past ID theft experience

II. Identify Relevant Red Flags Categories of Red Flags 1.Consumer Report alerts 2.Presentation of suspicious documents 3.Presentation of suspicious personal id information 4.Suspicious activity on the account 5.Notice of possible id theft on account

III.Detect Red Flags Procedures to detect red flags –Verify identity (new accounts) –Authenticate customers (existing) –Monitor transactions (existing) –Verify validity of address changes (existing)

IV.Prevent and Mitigate Appropriate Responses to Red Flags –Monitor accounts –Contact customer –Change passwords –Close and reopen account –Refuse to open account –Don’t collect on or sell account –Notify law enforcement –No response

V.Update the Program Periodic updating of the Program Periodic updating of the Program –Experience with id theft –Changes in industry standards –Changes in types of accounts offered or maintained –Changes in business arrangements, services providers, etc.

VI. Administer the Program A. Oversight of Plan B. Reporting of Instances, etc. C. Oversight of Service Provider Arrangements

FTC Guide and Plan

How do we get in compliance? Take stock Take stock Scale down Scale down Lock it Lock it Pitch it Pitch it Plan ahead Plan ahead

QUESTIONS? ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.