Small businesses must navigate a sea of complicated laws and regulations, and knowing which laws apply to your business is increasingly difficult. As an example, the Fair and Accurate Credit Transactions Act (“FACTA"), is one of many laws aimed at protecting confidential information and preventing identity theft. Although much of FACTA is applicable only to financial institutions and credit reporting agencies, certain parts of the law apply to virtually all businesses, and can expose those businesses to significant liability.
Determining whether your business is subject to FACTA and the regulations which implement and enforce it (commonly known as the “Red Flag Rules") is more complicated than you might imagine, despite attempts by Congress and the Federal Trade Commission to clarify which businesses are covered. In general, your business may be subject to the law if you regularly (1) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person with the expectation that those funds will be repaid, except for an advance of incidental expenses.
Although simple in concept, the definition of “consumer reports" is broad and includes bank and credit card information, Social Security numbers, insurance information, tax information, credit reports, address history, driver’s license number and other similar types of sensitive data. Even if your business does not collect this information from customers, you likely maintain this information about your employees, especially if you perform background checks or credit checks before hiring an employee.
If your business is subject to FACTA and the Red Flag Rules, you have an obligation to protect the confidential information of your customers and employees. Your business must also watch out for “red flags" that might indicate theft of confidential information. Red flags include:
· A notice from a credit reporting agency that there is possible fraud or identity theft, that there is a credit freeze in effect or that there is a discrepancy in the person’s address.
· Evidence that the person’s credit report contains suspicious or unusual activity.
· Evidence that documents are altered or forged.
· Evidence that the person’s photograph on an identifying document does not match their appearance.
· Inconsistent signatures on documents.
· Discrepancies in personal information (i.e. address or Social Security number) provided by the person does not match the information from other sources.
· Returned mail sent by you to the person’s address.
To comply with FACTA and the Red Flag Rules, your business must develop and implement a written data protection and identity theft prevention policy which details how your business will detect and respond to red flags. For small businesses with little customer or employee data and relatively low risk of data loss, the written policy need not be complex, but it must include reasonable policies and procedures to identify red flags and respond to the red flags in a way that prevents or mitigates identity theft. The written policy must be periodically reviewed and updated to reflect any changes in your business or in the risk to the confidential information that you maintain.
The written policy should also identify how your business will protect the security of confidential information. Physical documents should be locked away and access to them should be limited only to those who are authorized to access the information. Electronic data, especially data stored on computers and servers with internet access, should be encrypted or password protected. Likewise, if you transmit or receive confidential information using the internet, ensure that the connection is secured or encrypted. Computers and servers must be protected from spyware, malware or viruses which could cause a breach in your security system.
If your business maintains confidential information about customers or employees, you should consider whether you truly need to maintain all of the information collected. Old files for former customers or employees should be destroyed to reduce the risk that the information is misused. As you collect new information, ensure that you collect only the minimal information needed to accomplish your purpose. Collecting or preserving unnecessary data increases the risk that the data could be lost or stolen. Disposal of old information must be done in a way that that prevents others from reconstructing the data contained in the documents, such as by burning or shredding. If you dispose of electronic data, the data must be deleted in a way that prevents the re-assembly of that data.
Failing to comply with FACTA or the Red Flag Rules can be costly. A business that fails to adequately protect its customers’ or employees’ confidential information can be fined up to $2,500 per violation or $1,000 per customer or employee. Additionally, if the identity of your customer or employee is stolen because of your failure to protect the information, the customer or employee can initiate a lawsuit against your business to recover the damages suffered as a result. If your business is in compliance with FACTA and the Red Flags Rules, that potential liability may be reduced.
Because your business is exposed to significant liability for failing to comply with FACTA, the Red Flag Rules and other state or federal laws and regulations regarding protection of confidential information, it is important that you proactively take steps to protect confidential information. Although developing a written policy may seem like a hassle, with competent legal representation it will be less expensive than your potential liability for not complying with the law, and far easier than embarking on this process alone.
For more information, contact Ryan P. Siney, Esquire at (717) 763-1121 or firstname.lastname@example.org.