|
||||||||||||||||||
|
 |
TULSA – In less than 60 days, nearly every company in Oklahoma will find itself facing federal identity theft mandates that remain relatively unknown despite several high-profile cases and extensions.
“Anyone that invoices anything is now a creditor,” said Herman J. Luette, owner of IDT Consultants of Tulsa, in paraphrasing Federal Trade Commission interpretations of the Fair and Accurate Credit Transaction Act. “That leaves very few companies out.”Although securing personal information has plagued companies since the personal computer and Internet changed business practices, the immediate issue focuses on the May 1 compliance deadline for the “Red Flag” provisions of FACTA. That deadline extended the original Nov. 1 date the FTC set for companies to develop and deploy an identity theft prevention program. Luette said the question of just who was a creditor had confused many executives, who had thought the rules applied only to financial institutions or credit information users. Even with the deadline looming, Luette doubts 1 percent of Oklahoma companies now comply with the new regulations, which requires firms to name an information security officer, establish privacy and safeguarding rules, train workers on both the rules and systems, and ensure that all of their third-party vendors comply with the laws, among other risk-mitigating steps. “It’s kind of like having a shredder – everyone has one, but how much do they use it?” said Gavin W. Manes, president and chief executive of the Tulsa digital forensics company Avansic. Although he’s done what he can to spread the word, signing up 1,100 clients in Oklahoma and four other states, Luette doubts 90 percent of executives even know the laws exist. “Normally, when we secure a server, the financials and the human resource files are immediately what a company wants to protect,” said Tim Jackson, owner of Tulsa’s information technology consulting and service firm Jackson Technical. “Beyond that, we don’t see a lot of controls being set up.” Manes said such security concerns dovetail with other federal regulations, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. While the cost of noncompliance can be staggering – TJMaxx now faces more than $118 million in penalties and damages in its still-developing credit-card records case – Manes said many firms don’t realize the risk they face under increasingly complex liability rulings that hold companies guilty until proven innocent. “Companies definitely have a problem with data retention and management to begin with, and e-mail is the number one problem,” he said. But the rules also reflect security risks that have nothing to do with electronic systems, he said – some as innocent as executives simply leaving correspondence sitting in piles on a desk, easily accessible by others. “Many companies are well-prepared for an outside threat,” said Manes. “A good percentage is prepared for an outside threat. But what about an internal threat, from employees? If they’re not, they’re going to be out of business.” The cost of meeting those regulations starts with potential fines and grows from there. Firms proven guilty of noncompliance under FACTA may face fines of up to $3,500 per incident, with no limit to class-action lawsuits and assumed liability for costs with each individual identity loss, which Luette said average just under $93,000 per person. HIPAA, which addresses health records, boosts that fee limit to $250,000, plus up to 10 years in jail. “A lot of people don’t even realize they keep medical information,” he said – not realizing their workers’ doctor’s notes, insurance claims or workers’ compensation reports may fall under HIPAA. Gramm-Leach-Bliley lifts fines to $1 million per incident, plus the jail terms, removal of officers and liability in both civil and criminal cases. Luette, a certified identity theft risk management specialist whose business has jumped 30 percent since the fall financial meltdown, said victims of identity theft face an average time of 607 hours to work through the resulting problems. “Companies could be held liable to pay wages for that lost time,” he said. In practical applications, the cost of compliance often depends on the individual company’s infrastructure. “It increases your administrative overhead significantly,” said Jackson. It also may raise hardware and software costs as firms increase and protect stored data. Since the most common security breaches come from employees mistakenly clicking on bogus malware warnings from infected Web sites, Jackson said firms should employ internal protection systems and teach employees how those systems work, so that workers understand what to pay attention to. Firms also must educate workers on how to secure user names and passwords. That marks one service Luette’s firm provides – a free one, if companies subscribe to legal and liability coverage offered through Kroll Inc. and Pre-Paid Legal Services. Such password fears point to what Manes sees as the biggest risk factor – human error. “Even though you have a new law that says you have to protect information, we’re constantly creating new ways to access that information,” he said. “I don’t think it’s as simple as installing an alarm system and responding to it when it goes off. Real-time detection is highly unlikely.” Luette agreed, noting that it can take 12 to 18 months for victims to realize their personal information has been stolen. “I can not wait for this litigation to get filed,” said Manes, whose firm often gets hired to investigate such crimes as identity theft. “We are working on a case right now that, in a weird sidebar notion, something like this could have prevented. In the end, a human overrode this detection system, so there’s no way to know. But I would challenge an automated way to perform some of this stuff, because in the end a human’s going to make some mistake and that mistake’s going to cause liability.” |
 |
Copyright 2008 Avansic
Home Contact Us
|