Also, a Washington, D.C. federal district court has ruled that the Federal Trade Commission [...]]]> In the ongoing saga of confusion and uncertainty surrounding the Red Flags Rule, the U.S. Federal Trade Commission has announced today that it will once again extend its compliance deadline for the Red Flags Rule – this time until June 2010.

Also, a Washington, D.C. federal district court has ruled that the Federal Trade Commission cannot mandate Red Flags Rule compliance by attorneys.

And the story continues. Stay tuned for more updates as they develop.

On Nov. 1, 2008, the Federal Trade Commission enacted the Red Flag Rule on Identity Theft. Approximately 80 percent of U.S. businesses will be required to comply by Nov. 1 of this year. While many businesses are not enthusiastic about it, the question that begs [...]]]> By: Ester Horowitz
Commentary to the Automotive Dealership Institute
Published: September 2, 2009

On Nov. 1, 2008, the Federal Trade Commission enacted the Red Flag Rule on Identity Theft. Approximately 80 percent of U.S. businesses will be required to comply by Nov. 1 of this year. While many businesses are not enthusiastic about it, the question that begs asking is why wouldn’t they be?
Identity theft is not only a threat to our national security but it infiltrates our communities, encroaches on our liberties, and is just plain bad for business. According to CIO magazine, when your business experiences a security breach, 20 percent of your customers will no longer do business with you, 40 percent will consider ending the relationship and 5 percent will hire lawyers.
There are people among us who are living under someone else’s identity. They are our neighbors. They purchase our products and services, use our resources, and leave us with the fallout amounting to an average of $92,500 per person. In addition, the cost for not complying with the Red Flag Rule is $2,500 per incident if charges are brought by federal and state agencies and $1,000 in civil liabilities per incident with no statute of limitations from actions brought by consumers.
The FTC is asking businesses to comply with the Red Flag Rules by following 4 basic steps:
1) Detect the possibility of identity theft
2) Create policies and procedures
3) Educate employees
4) Maintain vigilance
To initiate a compliance program, companies are required to obtain the complete support and cooperation of its board of directors and owners. They also must elect a security officer responsible to oversee proper implementation.
Complying with the first step of the process can be as simple as establishing a chart about how information flows in the organization. This is a good step for 98 percent of small businesses that have less than 25 employees. The flow chart is also an excellent tool to detect hidden wealth the company may not realize. Following the flow of information is akin to following the processes of the company. When you follow the processes you are able to detect misalignments in the work flow that can result in poor productivity and/or money left behind. Therefore, identifying red flags has an important benefit and is well worth the invested time.
For larger companies, the detection process takes the most effort to perform. Some organization hire outside consultants at an average of $250 per hour to perform the task and others elect a team of people in the company that represent different disciplines to form a compliance committee that reports to the security officer.
Many companies already performed a due diligence about how information flows in their organization when they were required to follow other regulations such as Graham Leech Bliley or the Health Information Portability and Accountability Act. Rather than duplicate this effort, they can update the previous due diligence to reflect what is happening in the company today and then determine where the potential is for identity theft.
Policies and procedures generally reflect what was found in the due diligence process. Small organizations can take advantage of templates offered by the FTC, trade organizations, attorneys, consultants, and a few highly touted “plug-and-play” programs. Many offer them at no cost, but make sure when you obtain the templates that can be adapted to reflect your company’s information.
Educating employees seems to be the area where most companies experience difficulty. There are only a limited number of organized educational programs available like trade association programs. Costs vary according to membership. The most widely endorsed program is available through Pre-Paid Legal Services, Inc. and is part of an Affirmative Defense Response System, which includes monitoring and restoration services.
Finally, maintaining vigilance once the organization completes the first three steps is crucial. Make sure new employees are educated and a periodic due diligence for red flags is performed. In addition, the regulation requires that you contact your business associates and vendors to ensure that they are also complying with identity theft regulations.
Above all else, before we are people that either own or work for a company, we are a collection of individuals with many roles living in a community. We owe it to ourselves, our children, and our community to perform this process. Complying with the FTC Red Flag Rule keeps businesses and neighborhoods safe as well as companies profitable.
____________________________________________________________________________
To schedule FREE TRAINING for your organization to comply with Red Flags rule, contact Jan Gudis, Certified Identity Theft Risk Management Specialist at 407.349.2951.

Albert [...]]]> Friday, September 11, 2009 – South Florida Business Journal- In what has been called the largest identity theft case in U.S. history, a 28-year-old Miami man pleaded guilty on Friday to charges he hacked into the computers of some of the nation’s largest retailers and stole more than 40 million credit and debit card numbers.

Albert Gonzalez admitted to 19 counts of conspiracy, computer fraud, wire fraud access device fraud and aggravated identity theft relating to hacks into such retailers as Office Max, Boston Market and Barnes & Noble.

Gonzalez was indicted in Massachusetts in August 2008.

He also pleaded guilty to one count of conspiracy to commit wire fraud relating to hacks into the Dave & Buster’s restaurant chain, which were the subject of a May 2008 indictment in New York.

Under the terms of the plea agreement, he faces up to 25 years in prison.

Gonzalez also agreed to forfeit more than $2.7 million, as well as real estate and personal property, including a condo in Miami, a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches, as well as more than $1 million in cash that he buried in a container in his backyard. Sentencing is scheduled for Dec. 8.

Gonzalez remains under indictment for charges brought in August in New Jersey. It is alleged he and his co-conspirators hacked into computer systems belonging to Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven; and Hannaford Brothers Co., a Maine-based supermarket chain. Charges in that case remain pending.

Judge Andrew Guilford upheld his May decision in favor of credit reporting bureau Experian Information [...]]]> From the Phoenix Business Journal — LifeLock Inc. will have to find a new way to protect consumers from identity theft as a U.S. District Court Judge found that its practice of placing fraud alerts on customers’ credit reports is illegal.

Judge Andrew Guilford upheld his May decision in favor of credit reporting bureau Experian Information Solutions Inc., which had sued LifeLock saying a company’s placement of such fraud reports violates the Fair Credit Reporting Act.

LifeLock asked Guilford to reverse his preliminary ruling, citing new evidence, but Guildford said that information did not warrant reconsideration of his summary judgment.

The decision means Tempe-based LifeLock will have to find another way to protect its more than 1.5 million customers, who pay up to $10 a month to have the company place fraud alerts on their credit reports every 90 days in an effort to deter identity theft.

The judge has yet to rule on Experian’s request for a permanent injunction blocking LifeLock’s services, but that could come quickly.

Since the lawsuit, LifeLock had been examining ways to branch out beyond the fraud alerts to expand its identity theft protection services. It recently announced a deal to bundle its services with some of Symantec Corp.’s popular computer protection software. LifeLock recently received $40 million from investors, including Symantec.

The Legislature has already agreed to $10.4-million to settle a class action lawsuit over allegations that [...]]]> Gov. Charlie Crist and the Florida Cabinet have agreed to pay the federal government $1.5 million to settle a complaint that the state violated motorists’ privacy. The panel accepted the deal Tuesday, but it also will need the Legislature’s approval.

The Legislature has already agreed to $10.4-million to settle a class action lawsuit over allegations that the state illegally sold drivers’ personal information to marketing firms over a four-year period in violation of a federal law barring the practice. The state made $27-million each year on the deal, according to the lawsuit.

The settlement to drivers? $1. The four South Florida motorists who sued will get $3,000 each, and five law firms that pursued the case for more than six years will divide $2.85-million in legal fees, which is separate from credits paid to consumers.

The personal information that was sold includes a Social Security number, driver ID number, name and address.

The state formally denied any wrongdoing.

The state’s maximum liability was estimated at $39-billion, based on a $2,500 penalty for each violation of the federal Drivers Privacy Protection Act.

Congress in 1999 amended the law to prohibit states from providing drivers’ personal information unless the state had drivers’ permission to do so.

But Florida, the lawsuit alleged, continued to market the data anyway. The Legislature passed a law in 2004 ending the practice.
We would only ask “What were you thinking?”

In a two-count indictment alleging conspiracy and conspiracy to engage in wire [...]]]> The US Department of Justice reported today the indictment of Albert Gonzalez, 28, of Miami, Fla., for conspiring to hack into computer networks supporting major American retail and financial organizations, and stealing data relating to more than 130 million credit and debit cards.

In a two-count indictment alleging conspiracy and conspiracy to engage in wire fraud, Gonzalez, AKA “segvec,” “soupnazi” and “j4guar17,” is charged, along with two unnamed co-conspirators, with using a sophisticated hacking technique called an “SQL injection attack,” which seeks to exploit computer networks by finding a way around the network’s firewall to steal credit and debit card information. Among the corporate victims named in the indictment are Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain.

The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims.

If convicted, Gonzalez faces up to 20 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of $250,000 for each charge.

Gonzalez is currently in federal custody. In May 2008, the U.S. Attorney’s Office for the Eastern District of New York charged Gonzalez for his alleged role in the hacking of a computer network run by a national restaurant chain. Trial on those charges is scheduled to begin in Long Island, N.Y., in September 2009.

In August of 2008, the Justice Department announced an additional series of indictments against Gonzalez and others for a number of retail hacks affecting eight major retailers and involving the theft of data related to 40 million credit cards. Those charges were filed in the District of Massachusetts. Gonzalez is scheduled for trial on those charges in 2010.

The charges announced today relate to a different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators.

This case is being prosecuted by Assistant U.S. Attorneys Erez Lieberman and Seth Kosto for the U.S. Attorney’s Office for the District of New Jersey and by Senior Trial Counsel Kimberly Kiefer Peretti of the Criminal Division’s Computer Crime and Intellectual Property Section. The case is being investigated by the U.S. Secret Service.