Our Comprehensive FACTA Program for Employers

Transcription

1 Our Comprehensive FACTA Program for Employers Every US employer has certain compliance obligations under a federal law referred to as the Fair and Accurate Credit Transactions Act ( FACTA ), which has rules and regulations that are all in effect today. FACTA was created to make organizations that collect and maintain personally identifiable information (Sensitive Information), responsible to protect that information. The rules developed pursuant to FACTA are designed to make organizations responsible to aid in the detection, deterrence and mitigation of identity theft. Compliance with FACTA is not an option for any organization including for profit, non-profit or religious organizations and governmental entities. Compliance with FACTA s Red Flags Rule alone does not constitute compliance with all of the rules mandated under FACTA. At minimum, under FACTA, every organization should have a written Privacy Policy and should conduct mandated employee training on that policy. According to the FACTA rules, each organization must perform a risk assessment to determine which rules it must follow. Organizations that do not attempt to comply with FACTA face federal penalties up to $3,500 and state penalties up to $50,000 for each violation. Organizations that suffer a data breach are responsible for actual or statutory damages and they can face class action lawsuits with punitive damages. OVERSIGHT: Congress gave certain oversight agencies the authority to write and enforce FACTA s final rules. These oversight agencies are the Federal Trade Commission (FTC) and federal banking agencies. The FTC investigates non-compliance with FACTA and federal consumer laws over all organizations that do not fall within the federal banking jurisdiction. The FTC identifies employers as its first category to which FACTA applies. Once an investigation is started it is too late to begin addressing compliance requirements. Minimum FACTA Requirements The FTC construes the Gramm, Leach, Bliley Safeguard Rule (GLB) being the minimum standard for addressing FACTA compliance. The Safeguard Rule, directed at financial institutions, required the protection of customer financial information. The FACTA rules would apply the protections of sensitive information, not just to customer financial data, but to all the identifiable data collected by an organization. Betsy Broder, the assistant director of the Federal Trade Commission s Privacy and Identity Protection Division said that all businesses [organizations] should look to GLB for guidance on how to protect personally identifiable information. (American Bar Association Journal/Stolen Lives (March 2006) Additional FACTA Requirements 1. Every organization and any person that uses a credit report or background report must follow the FACTA Disposal Rule. This law requires you to follow certain established procedures to dispose of such information. 2. As of January 1, 2011, organizations defined as creditors (as determined by the Red Flag Program Clarification Act of 2010) are subject to FACTA s Red Flags Rule. Employers subject to Red Flags Rule require an additional written Identity Theft Prevention Plan and include special training for 1

2 certain employees. Many organizations, including state agencies, county government and school districts are usually exempt from this requirement, but are not exempt from other FACTA rules. 3. The FACTA 2008 Address Discrepancy Rule requires employers using background checks on applicants to establish policies that permit them to form a reasonable belief as to whether addresses provided by applicants are correct and to notify the consumer reporting agency when they have confirmed applicant addresses. Requirements under GLB Safeguard Rules Conduct a risk assessment to determine which provisions of FACTA an organization is required to follow Appoint in writing, a Compliance Officer or Information Security Officer Develop a written Sensitive Information Security Policy (Privacy Policy) to create a culture of security Continue evaluating and adjust your security program Provide employee training on your company or organization s Privacy Policy including detection, prevention and response to identity theft The FTC has further stated that organizations must create a mitigation plan to minimize the damage due to identity theft. This mitigation plan must be in place prior to a breach Oversee service providers for compliance with your procedures Compliance Solutions We provide employers with a single source solution, to address mandated compliance requirements. They include the following: A required FACTA Rule Risk Assessment Federal Trade Commission required documents Industry specific Sensitive Information Security Policy (Privacy Policy) prepared by US Identity Theft Solution s compliance counsel (with ongoing support) A comprehensive Information Security Officer Compliance Manual including data breach and notification requirements Mandatory employee training developed by Certified Identity Theft Risk Management Specialists: Training includes the employer s Privacy Policy along with an identity theft workshop A fully managed Identity Theft Restoration Service to mitigate the employer s workplace identity theft liability Contractor/Vendor compliance requirements 2

3 Employer Proposal for Services Proposed Services: Prepare your organization s industry specific Privacy Policy Provide the Information Security Officer (ISO) appointment letter and ISO Compliance Manual Provide the required Risk Assessment Provide the required employee training (approximately 30 minutes, online or live) Provide FTC required documents and support from compliance attorney Employer Responsibilities: Make sure all employees participate in the employee training Provide each employee a copy of your organization s Privacy Policy Provide Use of Confidentially and Sensitive Information documents Complete mandatory employee training within 30 days of the date of this proposal Reducing Employer Liability to Identity Theft Victims Once a data breach occurs, an organization will face two types of liability: Federal/State government intervention with fines for non-compliance and Plaintiff s attorneys bringing individual or class action lawsuits. Identity Theft lawsuits almost always prove to be more expensive than Federal and State fines. Every company or organization is potentially exposed to thousands or even millions of dollars of liability for non-compliance with FACTA. Included in our one source solution is our pro-active identity monitoring and restoration service called idtfix. This is not your average credit monitoring service. idtfix is designed to prevent identity theft. In the event an identity theft does occur, idtfix provides an identity restoration specialist to restore victim s [employee s] identity to pre-theft status. idtfix can reduce an employer s liability to victims of a workplace data breach, who may hold the employer responsible and file a lawsuit for damages. Employers who fail to create a mitigation plan could face total liability for the damages sustained. Identity Theft Solutions idtfix services include: Proactive ID Monitoring for all 48 known types of identity theft Fully-Managed Identity Restoration Service toll free number 24/7/365 Immediate Fraud Alert placed with all three credit bureaus Notification to banks/creditors/law enforcement - government agencies 3

4 Document Replacements (SSN Card, Driver s License, Passport, Credit Cards etc.) Identity Theft Reimbursement Insurance/No Deductible Monthly identity activity report with user friendly ID Score Real- time updates on data breaches Prompt notification of suspicious identity activity ( or phone) idtfix is a Cost Effective Way to Reduce Employer Liability Three Options Available to Employers 1. For less than five cents (5 ) an hour (40 hr. week), employers can provide idtfix for employees, creating the most cost effective way to minimize their liability to victims of identity theft. 2. Employers who choose to make even a minimal contribution will find that a majority of employees will decide to participate in the idtfix program. 3. idtfix can be offered strictly as a voluntary benefit and will minimize an employer s liability, but only to those employees who participate. Identity Theft Protection idtfix can protect employees and dependents from any type of identity theft 24/7/365 Employee Only - $8.95 Monthly - Dependents - $4.55 Monthly - Total Family $13.50 Employee contribution requires a payroll deduction. Employees who leave their employer have the option to continue these benefits at no additional cost. Corporate Overview US Identity Theft Solutions, LLC, was established by a former judge and an attorney who specializes in compliance law to provide organizations with a solution to address their FACTA obligations. Our clients include counties, municipalities, school districts and for-profit and non-profit organizations. By documenting all the federally mandated requirements, we establish an affirmative defense for our clients and minimize their liability caused by a workplace identity theft. Judge Royce McCoy, CEO, was featured in the December 2009 issue of Forbes magazine as an expert in the field of Identity Theft. Prior to specializing in this field, he was elected and served as a Texas County Judge. He is also a former finalist for the Entrepreneur of the Year award sponsored by Inc. magazine, Merrill Lynch and Ernst & Young. Judge McCoy is a Certified Identity Theft Risk Management Specialist (CITRMS) as certified through The Institute of Fraud Risk Management. Karen McCoy, President, graduated from SMU with degrees in Journalism and Marketing. She is a Certified Identity Theft Risk Management Specialist and she has spoken across the country as an 4

5 expert regarding identity theft. Mrs. McCoy s years of experience in this industry and her management skills as a successful entrepreneur, has prepared her to lead this company in the 21st Century. Mark Deubner, Executive V.P., graduated from St. Mary's School of Law in San Antonio, Texas and clerked for the Fifth District Court of Appeals in Dallas, Texas. He has a background in statutory compliance law from drafting, testifying for, and passage of several state compliance statutes. He now specializes in identity theft compliance law. As our compliance counsel, Mr. Deubner supervised three other attorneys to create a unique FACTA Compliance Manual for our clients. He is a Certified Identity Theft Risk Management Specialist. Dale Brooks, Senior V.P. and National Marketing Director, is a graduate of University of North Texas with a degree in Business Administration & Information Systems. His primary focus is educating trade associations, chambers of commerce, service organizations and employers regarding compliance with federal/state mandated identity theft laws. Mr. Brooks is a Certified Identity Theft Risk Management Specialist (CITRMS). Julia Baker, Senior V.P. of Compliance and Corporate Communication is a graduate of Oklahoma Christian University and is a Certified Identity Theft Risk Management Specialist. She previously served as Sr. Vice President & Compliance Officer for a national company and Co-Chair of the Government Relations Commission for an industry association provided her with a platform to hone her skills as a leader in the legislative and regulatory arena. 5