As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC’s staff has mentioned informally that helpful guidance would be forthcoming. As of today, the FTC has launched its new Red Flags Rule website and with it, a Red Flags Rule “How-To” guide (.pdf).
The website is a good collection of the FTC’s materials on this issue and it includes official press releases and statements directed to various industries (including the FTC’s letter to the healthcare industry (.pdf), the FTC’s guide for telecom companies (.pdf) and the FTC’s guide for utility companies (.pdf)).
The FTC’s advice in the How-To Guide may be somewhat general (e.g., “Just getting something down on paper won’t reduce the risk of identity theft.”), but it does simplify compliance into four steps:
- Identify Red Flags.
- Develop procedures for detecting Red Flags.
- Develop responses for Red Flags once you have detected them.
- Re-evaluate your Identity Theft Prevention Program as circumstances change.
For more specific information on threats and security measures, the FTC’s webpage on information security is a useful resource drawn from the FTC’s experience with companies that have had lapses in information security. In particular, the FTC’s Protecting Personal Information: A Guide for Business (.pdf) lays out five key principles for developing reasonable security procedures:
1. Take Stock. Know what personal information you have in your records.
2. Scale Down. Keep only what you need for your business.
3. Lock It. Protect the information that you keep.
4. Pitch it. Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.