Presentation is loading. Please wait.

Presentation is loading. Please wait.

SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009.

Published byElijah Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009."— Presentation transcript:

1 SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC socain@masc.sc October 6, 2009

2 IMPORTANT DATES IMPORTANT DATES State Legislation December 31, 2008 Red Flag enforcement extended to November 1, 2009

3 SC Financial Identity Fraud and Identity Theft Protection Act One of the two strongest in the nation per SC Dept of Consumer Affairs

4 Overview of SC Act 190 1. Consumer Identity Theft Protection 2. Personal Identifying Information Privacy Protection by public bodies 3. Credit and debit card receipts 4. Breach of security of business data 5. Breach of security of state agency data 6. Household garbage privacy 7. Identity fraud (definitions and penalties)

5 Overview of SC Act 190  Requires a legitimate business purpose to collect personal identifying information  Requires security of this information  Describes proper disposal methods  Requires certain procedures if a breach occurs

6 What is personal identifying information? First and last name (or first initial) in combination with any one of the following: –social security number; –driver's license number –financial account number or credit or debit card number in combination with any required security code; –other identifying information

7 Social Security Number State defines social security numbers as containing 6 or more digits. In other words, 5 or less is acceptable.

8 Unless otherwise stated, a Public Body may not -- Collect a social security # –Unless authorized by law to do so. –Unless the collection is otherwise imperative for the performance of that body’s duties and responsibilities as prescribed by law.

9 Unless otherwise stated, a Public Body may not -- Collect a social security # (con’t) –Unless the collection is relevant to the purpose collected –Must not be collected until and unless the need has been clearly documented.

10 Unless otherwise stated, a Public Body may not -- Fail, when collecting s social security number, to segregate that number on a separate page from the rest of the record, or as otherwise appropriate, so that the social security number may be easily redacted pursuant to a public records request.

11 Unless otherwise stated, a Public Body may not -- Intentionally communicate – or otherwise make available – to the general public an individuals SS# or other personal identifying information.

12 Unless otherwise stated, a Public Body may not -- Intentionally print or imbed an individual’s SS# on any card required for the individual to access government services.

13 Unless otherwise stated, a Public Body may not -- Require an individual to use a SS# to access an internet website, unless –a password or –unique personal id number or –other authentication device is also required.

14 Unless otherwise stated, a Public Body may not -- Require an individual to transmit a SS# over the internet, unless –the connection is secure –or, the SS# is encrypted

15 Unless otherwise stated, a Public Body may not -- Print a SS# on materials that are mailed to the individual, unless state or federal law requires the SS# on the mailed document. Federal ID #s on Business Licenses Federal ID #s on Business Licenses

16 What are some public body exceptions? HR Functions HR Functions Administration or provision of employee benefits program Administration or provision of employee benefits program Employment verification purposes Employment verification purposes Claims and procedures related to employment such as termination, retirement, workers’ comp, etc. Claims and procedures related to employment such as termination, retirement, workers’ comp, etc.

17 What are some public body exceptions? See legislation for other exceptions

18 What about service providers? Must be necessary for the receiving entity to perform its duties. Must have a business purpose.

19 What about service providers? The following were specifically named as allowable: Setoff Debt Collection Act Setoff Debt Collection Act Governmental Enterprise AR Collection program Governmental Enterprise AR Collection program

20 Register of Deeds and County Clerk of Court Overall, required to (1) act reasonably to limit the public posting of personal information; (2) remove personal information from public documents; and (3) advise the public of their rights for this request.

21 Register of Deeds and County Clerk of Court See 30-2-330 for specific requirements of a public notification and for those preparing documents to be recorded or filed in official records.

22 Credit and debit card receipts Must not print on a receipt provided to the cardholder at the point of sale: (1) more than five digits of the account number AND (2) the expiration date (2) the expiration date

23 Credit and debit card receipts Violations = misdemeanor with $250 fine for first violation and $1,000 for each subsequent. Knowing and willful violations = Class F felony and must be imprisoned not more than 5 years and fined not more than $1,000, or both.

24 Proper disposal of business records “When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.” “When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.”

25 Proper disposal of business records Contracting with a person engaged in the business of disposing of records is considered compliance with SC law.

26 Proper disposal of business records Penalties for noncompliance Penalties for noncompliance Willful violation = 3x actual damages not more than $1,000 for each incident plus reasonable attorney’s fees and costs Negligent violation = actual damages and reasonable attorney’s fees and costs.

27 Disposal of Information Technology hardware or storage media Before a public body may transfer or dispose of IT hardware or storage media, all personal and confidential information must be removed and the remaining hardware/media must be sanitized in accordance with standards and policies adopted by the State Budget and Control Board, Division of the State Chief Information Officer.

28 SC Hardware Sanitization Policy http://www.cio.sc.gov/NR/rdonlyres/DD63AC0B-A4A3-409B-9827- EA1DE8929F16/0/HWSanitizationPolicy.pdf

29 Two methods of sanitization Physical destruction - crush, shred, incinerate or smelt Digital Sanitation - Deleting files is insufficient. Must use digital sanitization tools such as DataEraser, Sanitizer, SecureClean, WipeInfo, DataGone

30 Sanitization must comply with Department of Defense requirements for sanitization tools DoD 5220-22-M

31 Sanitization must comply with National Institute of Standards and Technology’sPublication 800-88 for sanitization methods.

32 Sanitization also includes Cell phones Cell phones Other hand held devices (Palm, Treo, etc.) Other hand held devices (Palm, Treo, etc.) Copy machines Copy machines Fax machines Fax machines Flash drives Flash drives Hard drives Hard drives

33 Disposal of Information Technology hardware or storage media The director or appropriate IT manager of the public body owning or leasing the hardware or storage media shall verify that all personal and confidential information is removed and are sanitized in accordance with those standards and policies before the transfer or disposal is made.

34 What is a data breach? “…unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, OR

35 What is a data breach? … the integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.” … the integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident.”

36 What isn’t a breach? “Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.” “Good faith acquisition of personal identifying information by an employee or agent of the person for the purposes of its business is not a breach of the security of the system if the personal identifying information is not used or subject to further unauthorized disclosure.”

37 When must a breach be reported? When personal identifying information has not been rendered unusable through encryption, redaction, or other methods.

38 When must a breach be reported? When it is reasonably believed to have been acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the individual.

39 Red Flag Rule is federal legislation under FACTA (Fair and Accurate credit Transaction Act 2003)

40 Fundamentals I. Develop a Written Program II. Identify Relevant Red Flags III. Detect Red Flags IV. Prevent and Mitigate ID Theft V. Update the Program VI. Administer the Program

41 One size does not fit all The Red Flags and responses should be appropriate to the level of risk and the size of accounts, etc.

42 I. Develop a Plan Must be a written plan Must be a written plan Initial plan must be adopted by governing body Initial plan must be adopted by governing body Must assess the risk Must assess the risk Must consider the 26 Red Flags Must consider the 26 Red Flags Must consider past ID theft experience Must consider past ID theft experience

43 II. Identify Relevant Red Flags Categories of Red Flags 1.Consumer Report alerts 2.Presentation of suspicious documents 3.Presentation of suspicious personal id information 4.Suspicious activity on the account 5.Notice of possible id theft on account

44 III.Detect Red Flags Procedures to detect red flags –Verify identity (new accounts) –Authenticate customers (existing) –Monitor transactions (existing) –Verify validity of address changes (existing)

45 IV.Prevent and Mitigate Appropriate Responses to Red Flags –Monitor accounts –Contact customer –Change passwords –Close and reopen account –Refuse to open account –Don’t collect on or sell account –Notify law enforcement –No response

46 V.Update the Program Periodic updating of the Program Periodic updating of the Program –Experience with id theft –Changes in industry standards –Changes in types of accounts offered or maintained –Changes in business arrangements, services providers, etc.

47 VI. Administer the Program A. Oversight of Plan B. Reporting of Instances, etc. C. Oversight of Service Provider Arrangements

48 FTC Guide and Plan http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

49 How do we get in compliance? Take stock Take stock Scale down Scale down Lock it Lock it Pitch it Pitch it Plan ahead Plan ahead

50 QUESTIONS? ?

Download ppt "SC Identity Theft Act and Red Flag Rules Stephanie O’Cain, CPA Municipal Association of SC October 6, 2009."

Similar presentations

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act

Overview of the Privacy Act
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.

Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska

A Summary of CS for House Bill 65 (Jud) – A Presentation to the HCCA Alaska Local Annual Conference Joan Wilson Asst Attorney General State of Alaska
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Similar presentations

Ads by Google