Red Flags Rule Shortfalls
As businesses recognize the urgency to address identity theft risks to reduce fraud costs and comply with the laws, the Red Flags Rule shortfalls must be understood and considered in order to address all identity theft risks while developing and implementing the provisions of the corporate identity theft prevention and management program. Although the Red Flags Rule ("Rule") is a good starting point by which the US federal government provides guidance and requires businesses to prevent identity theft, the Rule does not address risks beyond credit identity theft in certain businesses. The Red Flags Rule shortfalls include 1) limiting the law to financial institutions and creditors with certain covered accounts while 2) ignoring non-credit types of identity theft cases, and 3) limiting identity theft risks to identification and prevention of red flags which can lead to identity theft, ignoring notification to other businesses through a central process if customer information is stolen which can lead to identity theft elsewhere. Although an identity theft prevention program deployed at other businesses will detect fraud resulting from information stolen elsewhere, this action will be limited to just certain accounts and creditors identified under the law.
The federal Red Flags Rule was created and is now being enforced with the assumption that loss of private consumer information by companies which can lead to identity theft and fraud has a ripple affect on other businesses and consumers which must be addressed if we want to reduce fraud costs, reduce costs and confusion associated with identity theft lawsuits, and protect consumers. Of course, the federal government’s immediate concern was not around business fraud costs when it created this law but rather consumer protection as part of the FACT Act.
Most corporate risk assessments focus on information security risks and not enough on operating risks such as identity theft which the Red Flags Rule aims to reinforce. The law emphasizes that identity theft red flags or warning signs must be identified, detected and stopped through comprehensive planning and execution of an identity theft prevention program regardless of where the required information was obtained from to commit fraud. The last part of the above statement changes everything in the identity theft management business and this is where the Red Flag identity theft law mainly differentiates itself from all other information security laws and practices. In short, a business must stop identity theft regardless of where the necessary information was stolen from to commit fraud. In other words, the negligence of a company in safeguarding the personal information of its customers can inflict damages to other businesses when stolen information is used to commit fraud elsewhere.
In conclusion, given the high numbers in identity theft fraud costs which are about $ 50 billion dollars annually, I am more surprised about the lack or delay of business motivation and initiative to prevent identity theft to improve profit margins which ultimately resulted in a showering of identity theft laws. I believe that the Red Flags Rule shortfalls will be addressed by the regulators in the future to address the rising risks of medical identity theft, employment identity theft, and other identity theft risks which will prove to be beneficial to all parties overtime.
Visit Identity Management Institute for information about Red Flags Rule compliance, training and certification after learning about Red Flags Rule shortfalls.