Green Light on Red Flags Rule
by Petr Brym – Director of IT Security
Following several delays of the enforcement of the Federal Trade Commission (FTC) Red Flags Rule, President Obama signed into law the Red Flag Program Clarification Act.
What does this mean to you? If you are a service provider handling sensitive or restricted information about others, in many ways it does not change what you should have been doing all along, except these practices will now be enforced by the FTC under the most recent amendment.
As a member of the University, it is your duty to protect personally identifiable information from viewing or abuse by unauthorized persons. It is also your duty to report incidents involving identity theft, or compromised personal information. While the Red Flags Rule focuses on scenarios where such abuse happens in relation to identity theft, most of the basic practices required by Red Flags are consistent with and/or required by other privacy laws and policies.
According to the FTC, the Red Flags Rule requires reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. The Rule requires a program that is appropriate for the level of risk in your operation, documented, approved, and includes training for staff.
Both the University System of New Hampshire (USNH), and each USNH institution, worked throughout 2010 to not only formalize a program to protect information, but also to implement appropriate procedures to address the Red Flags Rule.
At the University of New Hampshire (UNH), the UNH Information Security Working Group and the UNH IT Security Committee developed the Red Flags Guide and Self-Assessment form and the Office of UNH IT Security conducted numerous presentations and training sessions to help departments complete an assessment of their risks, gauge the applicability of the Rule to their organization, and to prepare accordingly.
If your organization handles personally identifiable and/or legally protected information that can be used to commit identity theft or be misused as a result of identity theft, and you are not aware of the Red Flags Rule, review the list of resources below and contact the UNH Office of IT Security at the contact information provided below without delay.
- Information Security and Red Flags training for you and/or your staff at your convenience.
- Contact UNH IT Security to request a session.
- Practical Options for Compliance with the Red Flags Rule available from UNH IT Security.
- UNH Red Flags Rule Self-Assessment Form available on-line at http://it.unh.edu/itsecurity.
- Information Security Training for UNH Employees PowerPoint available from UNH IT Security.
- More information http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml.