Insurers Need to Beware of Business ‘Red Flags’
New federal “Red Flag” regulations will soon require businesses of all sizes to have identity theft and data breach protections in place. By Nov. 1, 2008, the date at which the regulations should be implemented, more than 11 million businesses will be affected. As a result, insurance carriers are starting to study this as a new commercial coverage for companies, according to Identity Theft 911, a provider of identity management solutions and a privacy and data protection consultant.
The Federal Deposit Insurance Corp. (FDIC), along with the other federal financial institution regulatory agencies and the Federal Trade Commission, note that Red Flag Identity Theft Rules are a result of the 2003 Fair and Accurate Credit Transactions Act (FACTA) that amended the Fair Credit Reporting Act (FCRA). Section 114 of FACTA requires financial institutions to establish procedures for identifying identity theft.
According to Experian, “the final rules provide financial institutions with a fair amount of flexibility in establishing their own internal compliance programs, but there are a few mandatory provisions that must be included in any compliance program.”
For example:
- The regulations require financial institutions and creditors to implement a written identity theft prevention program.
- The regulations require card issuers to assess the validity of change of address requests before issuing additional or replacement debit or credit cards.
- The regulations require users of consumer reports to reasonably verify the identity of the subject of a consumer report in the event the user receives a notice of address discrepancy from the consumer reporting agency.
- The guidelines are intended to assist financial institutions in implementing the regulations.
- Supplement A to the guidelines contains a list of 26 “red flags” that financial institutions and creditors may consider incorporating into their identity theft prevention programs, although their adoption is not mandatory.
“These rules come at a time when the Federal Trade Commission and banking regulatory agencies are questioning whether creditors are using adequate authentication tools,” Experian stated. “These Red Flag Rules will improve industry practices in the area and should continue to drive identity theft statistics downward.”
“The main gist of the red flag provisions is to shift the burden of dealing with and fighting ID theft from the consumer to businesses that are granting thieves the information,” explained Eduard Goodman, general counsel and chief privacy officer for Identity Theft 911. Whereas in the past the emphasis has been on consumers to hide personal information and shred documentation, the law shifts the responsibility to people and businesses that grant credit information to identification thieves and asks them to recognize patterns or red flags, he said.
Unfortunately, many businesses have no idea how to protect their customers/employees from an ID theft attack. A Zogby International survey found that 86 percent of business owners think safeguarding customer data is a high priority, and 83 percent believe a breach would definitely have an impact on business reputation. However, that same survey found 34 percent of businesses had no tools/procedures in place to detect ID fraud.
This is where the insurance industry can help, Goodman suggested.
Although the regulations won’t apply to insurance companies as businesses, insurance companies can educate commercial businesses about the rules “to get them up to speed,” as well as inform them of ID theft trends, he said. In addition to requiring businesses to have ID theft and data breach protection plans, the rules also require companies to fine-tune their plans when fraud occurs.
Insurance and identity management companies are on the “front-lines,” so are able to see trends, such as if there is a string of victims among college students in Wisconsin, or several victims in Queens, N.Y., Goodman said. “That type of information, once it’s digested and put into report format, will be hugely important in the next couple of years.” Insurance companies can report to businesses, on an ongoing basis, the trends they’re seeing about the types of victims falling prey to ID theft and the types of risks, he said.
The second role the insurance industry can play is to help potential victims by mitigating potential harm, Goodman added. Many insurance companies already have tools available and partnerships with data protection companies to help businesses mitigate risk, he said, noting his company works with more than 130 insurance companies to provide such services. As ID theft protection plans are implemented and fine-tuned, the insurance industry will become even more important in providing mitigation tools to help potential victims, he said.
With the deadline looming — even if federal regulators don’t crack down on businesses that aren’t fully compliant by Nov. 1 — insurance companies will become educators, Goodman summarized. “It’s not the traditional insurance role, but everything is risk-based, so it’s a good fit.”
The fact is that identity theft is a growing problem,” said Linda Foley, Identity Theft Resource Center founder “There are a lot of people being hurt by this crime (in terms of) businesses and as individuals.”