Consumer Assistance Needed to Help Fight Identity Theft

Deadlines approach for businesses to meet identity theft consumer protection
laws.

BOSTON, July 7 /PRNewswire/ -- $60 billion was lost and 35.6 million consumer
records were exposed in 2008 due to data breaches and identity theft, a 47%
increase over 2007, according to the Identity Theft Resource Center.  The U.S.
Department of Justice reports that identity theft has surpassed the illegal
drug trade as the number one crime in the nation.  In response, federal
agencies have mandated "Red Flag Rules" under the Fair and Accurate Credit
Transaction Act of 2003, and Massachusetts enacted the most stringent consumer
protection law in the nation, 201 CMR 17.00. 

The Federal Trade Commission (FTC) estimates that many of the 11 million
businesses affected by Red Flags are unaware of the law and the impact on
their business.  Organizations that use credit reports, extend credit or defer
payments for goods and services (creditors) are subject to the new identity
theft law.  The laws affect businesses as diverse as health care, doctors,
dentists, auto dealers, furniture companies, mortgage brokers, jewelers,
equipment leasing, landlords, academia, home and yard cleaning services are
required to meet these requirements.  Also covered are municipal utilities,
such as; trash, water, gas and electrical services.  Red Flags requires
businesses to develop a comprehensive written identity theft prevention
program, to protect consumers and customers from identity theft and related
crimes.  Organizations impacted by Red Flags have until August 1, 2009, to
meet requirements.

On August 2, 2007, Gov. Patrick signed into law 201 CMR 17.00, Standards for
the Protection of Personal Information of Residents of the Commonwealth.  The
law affects virtually every business, including those not located in
Massachusetts.  Any business which owns, licenses, stores or maintains
personal information on a resident of the Commonwealth must adhere to these
requirements.  Under these new laws, personal information is defined as first
and last name or first initial and last name in combination with any one or
more of the following:  social security, driver's license or state-issued
identification card numbers, financial account number, credit or debit card
number with or without any required security code, access code, PIN or
password.  The law mandates that organizations develop a comprehensive written
information security program that includes physical security, computer system
security, risk assessments and vendor management. Every business or
organization with employees or accepts credit/debit cards or personal checks
must meet these requirements no later than January 1, 2010.

According to Joel Winston of the FTC, the commission is currently filing cases
against companies that do not utilize reasonable measures to secure privacy
data.  The FTC is employing numerous strategies to get the message to the
business community about the importance of protecting consumers from privacy
information and identity theft. 

As a former victim of credit card fraud himself, Tom Considine, CIPP, of Tom
Considine and Associates Information Privacy Professionals, knows firsthand
the problems created when organizations allow information to be stolen.  "We
work closely with businesses, training them how to inexpensively meet these
requirements.  However, many of them are more concerned about their bottom
line than your security and choose to ignore these laws, putting consumers and
employees at great risk.  An effective way to stop this crime is for consumers
to get involved," said Tom.  

Mr. Considine's advice on how best to protect your personal information:  "Ask
your employer about receiving the training you need to become the Information
Protection Manager (IPM) in your office.  This training will make you an
effective leader in data protection and invaluable to your organization.  As a
consumer, ask who the IPM is in businesses that you frequent and provide your
credit/debit cards too.  If they do not have an IPM and written information
security plan, then chances are they are not compliant and are placing your
personal data at risk.  Inform them that you will only do business with those
who are compliant with the new protection laws put in place to protect
consumers.  A former student once printed copies of articles to give to the
businesses she frequented, understanding that compliance protects herself,
other consumers and the business as well.  The number one thing which
consumers can do to protect themselves?  "If consumers dealt only with
businesses that are compliant, Massachusetts would see a significant drop in
the number of identity theft victims.  The procedures mandated by the new
protection laws are in place to protect consumers, and consumers have the
right to use only those businesses that maintain compliance," said Tom.

A new website currently under development is www.WhoComplys.org. 
WhoComplys.org is designed to help consumers locate businesses who meet or
exceed their regulatory requirements.  Consumers will be able to identify
responsible businesses that take protection of consumer information serious,
while avoiding rogue businesses that are noncompliant with these laws. 
www.WhoComplys.org is set for a January 2010 launch date, coinciding with the
deadline for Massachusetts 201 CMR 17.00.
 
Tom Considine and Associates provides information protection and compliance
training for public and private organizations.  They may be reached at
www.tcipp.com or 617-398-3312.



SOURCE  Privacy News and Review

Tom Considine and Associates, +1-617-398-3312, for Privacy News and Review