Data Security Guide:Spotting Identity Theft

Identity theft can take many different forms. For example, a criminal might try to use another person’s name and address when establishing an account with a small business that offers delayed (30-days) billing after the date of sale. Or a criminal might try to log-in to another customer’s account and make transactions without their authorization. Or another might use a stolen credit card number to buy products and services.

Getting Started

For a small business, combating identity theft is a three-step process, which needs to be put into action before an event occurs:

1. Identify types of suspicious behavior.
   Identify in advance what constitutes suspicious behavior. This is often referred to as the "red flags" of identity theft.
2. Develop policies that will detect suspicious events early — and train your employees.
   Put policies into place that will help you and your employees identify a red flag and catch suspicious events early...or even as they occur.
3. Respond to suspicious behavior.
   Detecting red flags needs to be matched with potential action plans. The type of action will depend on the type of red flag...and the risk that red flag could lead to identity theft.
4. Write it down. Type up the lists you just created, above:
   1. The red flags that could affect your small business,
   2. The ways in which your small business will detect suspicious events, and
   3. How your business will respond to suspicious behavior.

Checklists

1. Identify types of suspicious behavior.
   Although red flags differ among businesses and industries, the following types of red flags are common to most small businesses:
   • A customer reports that they have seen suspicious activity in one of their accounts.
   • A customer opens a new account that contains suspicious elements.
   • A customer presents you with suspicious documents (e.g., altered ID card, different addresses on different forms of ID, a PO Box as a home address).
   • You (or your employees) notice unusual activity relating to a customer's account.
2. Develop policies that will detect suspicious events early — and train your employees.
   Policies will differ depending on your business and your industry, but the following are examples of ways you can train your employees, which will become the basis for your Red Flags Policy:
   • Train about types of red flags they might see when a customer opens an account.
   • Train about types of red flags they might see when a customer orders a product/service.
   • Train about types of red flags they might see on an existing account.
3. Respond to suspicious behavior.
   Here are some possible action plans, depending on the circumstances:
   • Report the red flag event to the police or to other law enforcement agencies, such as the Federal Trade Commission or your state attorney general's office.
   • If the red flag involves Internet sales you can report the event to the FBI's Internet Crime Complaint Center www.ic3.gov.
   • Alert your customer that suspicious behavior has been observed on their account.
   • Refuse to complete a transaction until the suspicious event can be explained.
   • Request that your customer provide additional documentation to verify that they are who they say they are.
   • Request that your customer explain the suspicious activity.

Write it down.

• Develop a written policy and update it periodically — at least once a year.
• Share your policy with all of your employees, and use it to help train them on how to detect and respond to identity theft.

U.S. Legal Requirements

The Fair and Accurate Transactions Act ("FACTA") requires "financial institutions" and "creditors" that maintain “covered accounts” for their customers to create a written program to detect, prevent, and mitigate identity theft.
The Federal Trade Commission has published a legal rule, called the Red Flags Rule, to provide small businesses with guidance on how to comply with FACTA. In May 2013, the Commission released a new guide entitled Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business(the “Guide”) to help businesses and organizations determine whether they are subject to the Red Flags Rule and how to meet the Rule’s requirements. The FTC’s Guide includes information regarding what types of entities must comply with the Red Flags Rule, a set of FAQs, and a four-step process to achieve compliance.
Although you may not think that your business is either a "financial institution" or a "creditor," the FTC considers certain businesses that allow customers to defer payment when they receive goods or services to be “creditors”. For example, businesses that regularly obtain or use consumer reports in connection with credit transactions; or furnish information to consumer reporting agencies in connection with such transactions; or advance funds to or on behalf of a person under certain circumstances, are considered “creditors” under the Rule. If your business could be considered to be a “creditor”, you should check to see if any of your customer accounts may be “covered accounts” under the Rule.
Under the Rule, businesses with “covered accounts” must put in place a Red Flag program that:

• Includes reasonable policies and procedures to identify the “red flags” of identity theft in the day-to-day operations of the business.
• Is designed to detect the red flags of identity theft known to the business.
• Sets out the actions the business will take upon detecting red flags.
• Is re-evaluated periodically.

If you think your business may be covered by the Red Flags Rule, you may wish to consult an attorney to determine whether you are covered, whether you are required to have a written policy (a "Red Flags Policy"), and if necessary, whether your Red Flags Policy complies with the Red Flags Rule.