Presentation is loading. Please wait.

Presentation is loading. Please wait.

SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009.

Similar presentations


Presentation on theme: "SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009."— Presentation transcript:

1 SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009

2 IMPORTANT DATES IMPORTANT DATES State Legislation December 31, 2008 Red Flag enforcement extended to November 1, 2009

3 SC Financial Identity Fraud and Identity Theft Protection Act One of the two strongest in the nation per SC Dept of Consumer Affairs

4 Overview of SC Act Consumer Identity Theft Protection 2. Personal Identifying Information Privacy Protection by public bodies 3. Credit and debit card receipts 4. Breach of security of business data 5. Breach of security of state agency data 6. Household garbage privacy 7. Identity fraud (definitions and penalties)

5 Overview of SC Act 190  Requires a legitimate business purpose to collect personal identifying information  Requires security of this information  Describes proper disposal methods  Requires certain procedures if a breach occurs

6 What is personal identifying information? First and last name (or first initial) in combination with any one of the following: –social security number; –driver's license number –financial account number or credit or debit card number in combination with any required security code; –other identifying information

7 Social Security Number State defines social security numbers as containing 6 or more digits. In other words, 5 or less is acceptable.

8 Unless otherwise stated, a Public Body may not -- Collect a social security # –Unless authorized by law to do so. –Unless the collection is otherwise imperative for the performance of that body’s duties and responsibilities as prescribed by law.

9 Unless otherwise stated, a Public Body may not -- Collect a social security # (con’t) –Unless the collection is relevant to the purpose collected –Must not be collected until and unless the need has been clearly documented.

10 Unless otherwise stated, a Public Body may not -- Fail, when collecting s social security number, to segregate that number on a separate page from the rest of the record, or as otherwise appropriate, so that the social security number may be easily redacted pursuant to a public records request.

11 Unless otherwise stated, a Public Body may not -- Intentionally communicate – or otherwise make available – to the general public an individuals SS# or other personal identifying information.

12 Unless otherwise stated, a Public Body may not -- Intentionally print or imbed an individual’s SS# on any card required for the individual to access government services.

13 Unless otherwise stated, a Public Body may not -- Require an individual to use a SS# to access an internet website, unless –a password or –unique personal id number or –other authentication device is also required.

14 Unless otherwise stated, a Public Body may not -- Require an individual to transmit a SS# over the internet, unless –the connection is secure –or, the SS# is encrypted

15 Unless otherwise stated, a Public Body may not -- Print a SS# on materials that are mailed to the individual, unless state or federal law requires the SS# on the mailed document. Federal ID #s on Business Licenses Federal ID #s on Business Licenses

16 What are some public body exceptions? HR Functions HR Functions Administration or provision of employee benefits program Administration or provision of employee benefits program Employment verification purposes Employment verification purposes Claims and procedures related to employment such as termination, retirement, workers’ comp, etc. Claims and procedures related to employment such as termination, retirement, workers’ comp, etc.

17 What are some public body exceptions? See legislation for other exceptions

18 What about service providers? Must be necessary for the receiving entity to perform its duties. Must have a business purpose.

19 What about service providers? The following were specifically named as allowable: Setoff Debt Collection Act Setoff Debt Collection Act Governmental Enterprise AR Collection program Governmental Enterprise AR Collection program

20 Register of Deeds and County Clerk of Court Overall, required to (1) act reasonably to limit the public posting of personal information; (2) remove personal information from public documents; and (3) advise the public of their rights for this request.

21 Register of Deeds and County Clerk of Court See for specific requirements of a public notification and for those preparing documents to be recorded or filed in official records.

22 Credit and debit card receipts Must not print on a receipt provided to the cardholder at the point of sale: (1) more than five digits of the account number AND (2) the expiration date (2) the expiration date

23 Credit and debit card receipts Violations = misdemeanor with $250 fine for first violation and $1,000 for each subsequent. Knowing and willful violations = Class F felony and must be imprisoned not more than 5 years and fined not more than $1,000, or both.

24 Proper disposal of business records “When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.” “When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.”

25 Proper disposal of business records Contracting with a person engaged in the business of disposing of records is considered compliance with SC law.

26 Proper disposal of business records Penalties for noncompliance Penalties for noncompliance Willful violation = 3x actual damages not more than $1,000 for each incident plus reasonable attorney’s fees and costs Negligent violation = actual damages and reasonable attorney’s fees and costs.

27 Disposal of Information Technology hardware or storage media Before a public body may transfer or dispose of IT hardware or storage media, all personal and confidential information must be removed and the remaining hardware/media must be sanitized in accordance with standards and policies adopted by the State Budget and Control Board, Division of the State Chief Information Officer.

28 SC Hardware Sanitization Policy EA1DE8929F16/0/HWSanitizationPolicy.pdf

29 Two methods of sanitization Physical destruction - crush, shred, incinerate or smelt Digital Sanitation - Deleting files is insufficient. Must use digital sanitization tools such as DataEraser, Sanitizer, SecureClean, WipeInfo, DataGone

30 Sanitization must comply with Department of Defense requirements for sanitization tools DoD M

31 Sanitization must comply with National Institute of Standards and Technology’sPublication for sanitization methods.

32 Sanitization also includes Cell phones Cell phones Other hand held devices (Palm, Treo, etc.) Other hand held devices (Palm, Treo, etc.) Copy machines Copy machines Fax machines Fax machines Flash drives Flash drives Hard drives Hard drives

33 Disposal of Information Technology hardware or storage media The director or appropriate IT manager of the public body owning or leasing the hardware or storage media shall verify that all personal and confidential information is removed and are sanitized in accordance with those standards and policies before the transfer or disposal is made.

34 What is a data breach? “…unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, OR

35 What is a data breach? … the integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.” … the integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.”

36 What isn’t a breach? “Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.” “Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.”

37 When must a breach be reported? When personal identifying information has not been rendered unusable through encryption, redaction, or other methods.

38 When must a breach be reported? When it is reasonably believed to have been acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the individual.

39 Red Flag Rule is federal legislation under FACTA (Fair and Accurate credit Transaction Act 2003)

40 Fundamentals I. Develop a Written Program II. Identify Relevant Red Flags III. Detect Red Flags IV. Prevent and Mitigate ID Theft V. Update the Program VI. Administer the Program

41 One size does not fit all The Red Flags and responses should be appropriate to the level of risk and the size of accounts, etc.

42 I. Develop a Plan Must be a written plan Must be a written plan Initial plan must be adopted by governing body Initial plan must be adopted by governing body Must assess the risk Must assess the risk Must consider the 26 Red Flags Must consider the 26 Red Flags Must consider past ID theft experience Must consider past ID theft experience

43 II. Identify Relevant Red Flags Categories of Red Flags 1.Consumer Report alerts 2.Presentation of suspicious documents 3.Presentation of suspicious personal id information 4.Suspicious activity on the account 5.Notice of possible id theft on account

44 III.Detect Red Flags Procedures to detect red flags –Verify identity (new accounts) –Authenticate customers (existing) –Monitor transactions (existing) –Verify validity of address changes (existing)

45 IV.Prevent and Mitigate Appropriate Responses to Red Flags –Monitor accounts –Contact customer –Change passwords –Close and reopen account –Refuse to open account –Don’t collect on or sell account –Notify law enforcement –No response

46 V.Update the Program Periodic updating of the Program Periodic updating of the Program –Experience with id theft –Changes in industry standards –Changes in types of accounts offered or maintained –Changes in business arrangements, services providers, etc.

47 VI. Administer the Program A. Oversight of Plan B. Reporting of Instances, etc. C. Oversight of Service Provider Arrangements

48 FTC Guide and Plan

49 How do we get in compliance? Take stock Take stock Scale down Scale down Lock it Lock it Pitch it Pitch it Plan ahead Plan ahead

50 QUESTIONS? ?


Download ppt "SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009."

Similar presentations


Ads by Google