ID Theft Red Flags - 11 Resources

Updated October 30, 2009 - The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until June 1, 2010, to allow creditors and financial institutions more time to develop and implement written Identity Theft Prevention Programs. This new extension will allow FTC staff to "redouble its efforts to educate [small businesses and other entities] about compliance with the Red Flags Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply." The latest announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

The FTC's Red Flags website offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule. EDUCAUSE also has sample campus policies and programs available on this page.

Webcast

Creating a Compliance Program for Identity Theft Rules

October 22, 2008 - Webcast Archived

Speaker: Naomi Lefkovitz, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission

Summary: New federal regulations to address identity theft go into effect November 1, 2008, and are likely to affect colleges and universities in nuanced ways. Compliance will require careful study and collaboration among business officers, human resources, legal counsel, student services, IT, and other affected campus units. The rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency. They also require that institutions develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts.

Who is subject to and must comply with the regulations on ID Theft Red Flags and Notices of Address Discrepancy? What business practices at colleges and universities are covered by the rules? What are some of the things that entities subject to the rules must do? What role does IT play in compliance with the rules? What are the penalties for failure to comply? This webcast will address these and many other questions, in addition to providing an online forum for community collaboration and sharing.

Powerpoint Slides:

• An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies

References:

• FTC Announcement: "Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy"
• FTC Identity Theft website
• NACUA General Summary of FACTA
• NACUBO Bulletin: "FTC's Red Flag Rule Likely to Affect Colleges"

Sample Campus Policies for FTC "Red Flags" Rules

• Identity Theft Prevention Program -- Sample Policy (prepared by the Kentucky League of Cities)
• Kalamazoo College Identity Theft Prevention Program -- Sample Policy
• Model Identity Theft Policy and Adopting Resolution
• Sample Identity Theft Prevention Program