Privacy Issues in the Workplace

A “creditor” includes government entities which defer payment for goods or services (for example, payment for utilities or payment plans for parking tickets). “Deferring payments” refers to postponing payments to a future date and/or installment payments on fines or costs. A “covered account” is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account includes an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts. b. What are Red Flags? The Red Flags Rules provide all creditors the opportunity to design and implement a program (ITPP) that is appropriate to their size and complexity, as well as the nature of their operations. The Federal Trade Commission has identified 26 examples of red flags. These red flags are not a checklist, but rather, are examples that creditors may want to use as a starting point. The 26 red flags fall into five categories: 1) Alerts, notifications, or warnings from a consumer reporting agency (for example, a fraud alert included with a consumer report); 2) Suspicious documents (for example, documents provided for identification that appear to be forged); 3) Suspicious personally identifying information (for example a suspicious address, or a social security number has not been provided, or is listed on the SSA’s Death Master File); 4) Unusual use of – or suspicious activity relating to – a covered account (for example, a material change in purchasing or spending); and 5) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts. c. Drafting The ITPP The ITPP must include the following four basic elements for detecting, preventing, and mitigating identity theft and enable a creditor to: 1) Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; 2) Detect red flags that have been incorporated into the Program; 3) Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and 4) Ensure the ITPP is updated periodically to reflect changes in risks from identity theft. There are also certain steps that a creditor must take to administer the ITPP: obtaining approval of the initial written ITPP by the board of directors, or if none, then by an appointed senior manager/employee of the creditor; ensuring oversight of the development, implementation and administration of the ITPP; training staff on the ITPP; and overseeing service provider arrangements.

Privacy Issues in the Workplace ©2021 (s) Liebert Cassidy Whitmore 126