Companies Scramble To Comply With ID Theft Law

Friday, May 01, 2009

Portland Business Journal

BY Courtney Sherwood

Ted Davis is ready for the Red Flags Rules.

His inch-thick identity theft prevention plan is typed and distributed. Locked Shred-It boxes have been deployed throughout the Parker Johnstone Wilsonville Honda offices. Employees have endured hours of training.

When the final provisions of the Fair and Accurate Credit Transaction Act known as the FACT Act -go into effect on May 1, Davis, general manager of the dealership, is determined to be in compliance.

Yet for every business like Parker Johnstone, there are likely many others that are not prepared for anti-identity theft rules that the Federal Trade Commission will now enforce. Failure to comply could cost $2,500 per violation.

Nicknamed the Red Flags Rules, these provisions require every business that regularly extends credit to its customers, or arranges credit extensions, to develop a detailed plan for combating identity theft.

Banks, hospitals and car dealers must comply, as must mortgage brokers, utility companies and telecoms. Any business that sells goods or services now and bills later must follow the rules, according to the FTC.

The rules involve navigating a bureaucratic maze of guidelines, developing and implementing a written plan, taking extra steps to look for possible signals of identity theft, and acting to prevent it.

It's a time-consuming burden, Davis said.

Businesses that don't comply will only be caught if their customer or employee data is compromised, or if there is a complaint. The FTC says that it could charge up to $2,500 per violation, and additional civil penalties could be applied. But attorneys say that with no enforcement history, it's not yet clear how violations are defined.  If 500 customers' data is stolen, that may count as one violation -or as 500.

Many businesses now required to follow the Flag Rules may never have heard of them, said Peter Kwong, shareholder at Perkins & Co., a Portland accounting firm that has developed educational materials about the new rules.

"If you're a startup, or if you're a retailer or Internet provider that stores some of your customers' information in a database, you may not be cognizant of these new rules," Kwong said. "When we talk to business people about them, sometimes they're caught off guard." 

Auto dealers may be among the best-prepared businesses on May 1, thanks to outreach by national, regional and state trade groups. As detailed in its written identity theft prevention program, Parker Johnstone Wilsonville Honda will now purchase a supplemental "Red Flag report" from credit agencies, in addition to a standard credit report, before approving vehicle loans.

Depending on the results of that report, the dealership may have to quiz buyers for additional personal information or seek more documentation. Red Flags policies also govern how the dealership accepts credit cards and checks and what it does with paperwork that contains confidential information.

"The most important things to remember are to have reasonable procedures in place -and see that employees follow them that (identify) suspicious practices, patterns, or activities that indicate the possibility of ID theft," said Frank Dorman, FTC spokesman. "An ID theft prevention program has to describe actions you'll take when you come across red flags, and make sure your program stays up-to-date."

While Davis acknowledges that the goal of the Red Flag Rules is worthy, he also finds them to be a burden.

Interpreting the federal government's 57-page Red Flags guide and drawing up a plan of action took hours of committee work. The rules also require involvement of senior management, training of people on the front line, and frequent updates.

Yet in the end, most of Parker Johnstone Wilsonville Honda's practices will remain the same, Davis said. They'll just be better documented.

"We normally do much of this anyway," Davis said. "We take people's most important asset, their identity, very seriously, and we can't risk even one occurrence of somebody stealing somebody else's personal information."