Adrs Presentation March 2008

Affirmative Defense Response System

(ADRS)

MINIMIZE YOUR RISK

The Problem of Identity Theft♦ What identity theft is in reality♦ Laws related to identity theft that affect

employers, executives and business owners

Best Answer to Problem♦ Layered protection♦ Identity theft program and training♦ Implementing reasonable steps at little or no

cost that will lower your risk and minimize your exposure

Today’s Topics

“A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.”

Douglas Hottle, Meyer, Unkovic & Scott, “Workplace Identity Theft: How to Curb an HR Headache”BLR: Business and Legal Reports, September 19, 2006

Who Is Being Held Responsible

“With the workplace being the site of more than half of all identity thefts, HR executives must ‘stop thinking about data protection as solely an IT responsibility,’ says one expert. More education on appropriate handling and protection of information is necessary, among other efforts.”

“ID Thefts Prevalent at Work”, Human Resource Executive, April 5, 2007

Identity Theft Prevalent at Work

Drivers License

Medical Financial

♦ Identity theft is not just about credit cards. ♦ It is a legal issue! ♦ It is an international crime and access to an attorney may be critical.

Social Security

Character/ Criminal

Five Common Types of Identity Theft

Correcting the victims’ records is so overwhelming it is imperative for businesses to protect the data.

Where the Law Becomes Logical“Once the credit systems accept bad data it can be next to impossible to clear.” USAToday June 5, 2007

“Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult.” Wall Street Journal October 11, 2007

TM

The Cost to Businesses♦ Employees can take up to 600 hours, mainly during

business hours, to restore their identities

♦ “If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”*

♦ “When it comes to cleaning up this mess, companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”*

*CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

Why should all businesses, corporations, schools, financial institutions, hospitals and governmental bodies be concerned about identity theft, FACTA-Red Flag Rules, GLB Safeguard Rules, and state legislation?

Answer: Liability, both civil and criminal.

Ask Yourself This Question

♦ FACTA and FACTA Red Flag Rules♦ Fair Credit Reporting Act♦ Gramm, Leach, Bliley Safeguard Rules♦ Individual State Laws

Important Legislation

Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

Fair and Accurate Credit Transactions Act (FACTA)


This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.

Employee or customer information lost under the wrong set of circumstances may cost your company:

Federal and State fines of $2500 per occurrence Civil liability of $1000 per occurrence Class action lawsuits with no statutory limitation Responsible for actual losses of an individual ($92,893 Avg.)

Red Flag Rules recently became effective in January 2008, and compliance is required by November 2008. Under these rules, covered accounts, creditors and businesses:

♦ Must develop and implement a written privacy and security program.

♦ Must obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors.

♦ Or if the business does not have a board of directors it must have a designated employee at the level of senior management. Small businesses are not exempt.

♦ The oversight, development, implementation and administration of the program must be performed by an employee at the level of senior management.


FACTA Red Flag Rules

These rules also provide that covered accounts, creditors and businesses must also ensure their service providers and subcontractors comply and have reasonable policies and procedures in place. The rules state:

♦ Liability follows the data.

♦ A covered entity cannot escape its obligation to comply by outsourcing an activity. Businesses must exercise appropriate and effective oversight of service provider arrangements.

♦ Service providers and contractors must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.

♦ Contractors with whom the covered accounts exchange PII are required to comply and have reasonable policies and procedures in place to protect information. Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

FACTA Red Flag Rules

If an employer obtains, requests or utilizes consumer reports or investigative consumer reports for hiring purposes/background screening, then the employer is subject to FCRA requirements.

www.ftc.gov/os/statutes/031224fcra.pdf

Fair Credit Reporting Act (FCRA)


Eight Federal Agencies and any State can enforce this law

This law applies to organizations that maintains personal financial information regarding its clients or customers

Non-Public Information (NPI) lost under the wrong set of circumstances may result in:

♦ Fines up to $1,000,000 per occurrence♦ Up to 10 Years Jail Time for Executives♦ Removal of management♦ Executives within an organization can be held accountable for non-compliance both civilly and criminally

Gramm, Leach, Bliley Safeguard Rules


These laws apply to any organization including:

♦ Financial Institutions*

♦ Schools

♦ Credit Card Firms

♦ Insurance Companies

♦ Lenders

♦ Brokers

♦ Car Dealers

♦ Accountants

♦ Financial Planners

♦ Real Estate Agents

*The FTC categorizes an impressive list of businesses as FI and these so-called “non-bank” businesses comprise a huge array of firms that may be unaware they are subject to GLB.


Privacy and Security Laws

These laws require businesses to:

♦ Appoint, in writing, an Information Security Officer

♦ Develop a written plan and policy to protect non-public information for employees and customers

♦ Hold training for all employees

♦ Oversee service provider arrangements

Privacy and Security Laws


This FTC publication suggests that companies should:

“Create a culture of security by implementing a regular schedule of employee training” (pg 17)

“Make sure training includes employees at satellite offices, temporary help, and seasonal workers.” (pg 17)

“Ask every employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data” (pg 16)

Protecting Personal Information A Guide For Business

“Before outsourcing any of your business functions – payroll, web hosting, customer call center operations, data processing, or the like – investigate the company’s data security practices . . . ” (pg 19)

Your liability follows your data . . .

Protecting Personal Information A Guide For Business

ABA JournalMarch 2006

- “Stolen Lives”, ABA Journal, March 2006

“We’re not looking for a perfect system,’ Broder says. ‘But we need to see that you’ve taken reasonable steps to protect your

customers’ information.’”

Law Firms Are Looking for Victims

“Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.”

“Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”

Why and How We Help You…♦ Set up reasonable steps to protect non-public

information (NPI)/personally identifiable information (PII)

♦ Help create a “Culture of Security”

♦ Set up a potential Affirmative Defense

♦ Help protect employees and customers while potentially decreasing your company exposure

♦ We start the compliance process for your Company by providing templates for the appointment of the security officer and the written ID Theft security plan.

♦ To assist your company with compliance issues we will conduct a training required by law for your employees. We will also explain the different types of ID Theft and show your employees how they can protect themselves if they become a victim and why their and your customers’ personal information needs to be protected.

♦ We do all of this at no direct cost to your company.

Affirmative Defense Response System

1. Appointment of Security Compliance Officer

February 1, 2008[insert employee designee]RE: Appointment of Security Compliance OfficerDear [employee]: As part of [Company’s] comprehensive information security program, we are pleased to appoint you as Security Officer. As Security Officer you will be responsible to design, implement and monitor a security program to protect the security, confidentiality and integrity of personal information collected from and about our employees, consumers and vendors. As Security Officer you will help [Company] identify material internal and external risks to the security of personal information; design and implement reasonable safeguards to control the risks identified in the risk assessment; evaluate and adjust the program in light of testing results; and continuous monitoring of the program and procedures. As Security Officer, [Company] will provide you access to training courses and materials on a continuing basis. Thank you for your commitment to [Company]. Sincerely, [Company] Chief Executive Officer

2. ID Theft Plan and Sensitive and Non-Public Information Policy

SENSITIVE INFORMATION POLICY AND IDENTITY THEFT

PREVENTION PROGRAM 1. BACKGROUND The risk to the company, its employees and customers from data loss and identity theft is of significant concern to the company and can only be reduced through the combined efforts of every employee and contractor. 2. PURPOSE The company adopts this sensitive information policy to help protect employees, customers, contractors and the company from damages related to loss or misuse of sensitive information. This policy will:

Define sensitive information Describe the physical security of data when it is printed on paper Describe the electronic security of data when stored and distributed

Putting the Identity Theft Prevention Program in place enables the company to protect existing customers, reducing risk from identity fraud and minimize potential damage to the company from fraudulent new accounts. The program will:

Identify Red Flags that signify potentially fraudulent activity within new or existing covered accounts Detect Red Flags when they occur in covered accounts Respond to Red Flags to determine if fraudulent activity has occurred and act if fraud has been

attempted or committed Update program periodically, including reviewing accounts that are covered and Red Flags that are

part of the program

To All Employees [Company] RE: MANDATORY EMPLOYEE MEETING

PRIVACY AND SECURITY PROGRAM AND IDENTITY THEFT TRAINING [insert date, time and location] On [insert date], [company] will host a mandatory employee meeting and training session on identity theft and privacy compliance. Additionally, as an employee, you will be provided an opportunity to purchase an identity theft product. As you know, [company] makes every effort to comply with all Federal Trade Commission guidelines to protect personal employee, customer and vendor information. As part of our security program, we want to train all employees on concrete steps to help reduce the risk of security breaches and identity theft. This program is important to [company] and your attendance is mandatory. I look forward to seeing each of you there on [date]. Sincerely, [Company] CEO

3. Privacy and Security Letter

4. May Reduce Company Losses

* Subject To Terms And Conditions

In the event of a data breach, this may help mitigate potential losses for your company. Our program may reduce your exposure to litigation, potential fines, fees and lawsuits. We will train on privacy and security laws and offer your employees a payroll deduction benefit that includes:

♦ Credit Monitoring

♦ Full Restoration

♦ Access to Legal Counsel

This means employees who participate in this program may reduce your company’s exposures. The majority of the time in restoring an employee’s identity is covered by the memberships and not done on company time and/or company expense. Also, use of our Life Events Legal Plan provides help* that addresses related issues.

Life Events Legal Plan &

Legal ShieldMonitoring

Services

Restoration Services

If a number of your employees are notified of improper usage of their identities, this may act as an early warning system to your company of a possible internal breach which could further reduce your losses.

5. Potential Early Warning System

BLR says this “Provides an Affirmative Defense for the company.”

6. May Provide an Affirmative Defense

“One solution that provides an affirmative defense against potential fines, fees, and lawsuits is to offer some sort of identity theft protection as an employee benefit.

An employer can choose whether or not to pay for this benefit. The key is to make the protection available, and have a employee meeting on identity theft and the protection you are making available, similar to what most employers do for health insurance … Greg Roderick, CEO of Frontier Management, says that his employees "feel like the company's valuing them more, and it's very personal."

Business and Legal Reports January 19, 2006

7. Provide Proof You Offered AMitigation Plan to Your Employees – Check Off Sheet

Identity Theft Protection and Legal Service (Proof of offer of a Mitigation Plan)

As an employee of _______________________ located in ____________________, acknowledge that a Pre-Paid Legal Services, Inc., independent sales associate made available to me the Identity Theft Shield and a Pre-Paid Legal Services, Inc. membership. Identity Theft Shield:

o Initial credit report and guide on how to read the report o Continuous credit monitoring o Identity restoration in the event of a theft

Life Events Legal Plan:

o Preventive legal services provided through a network of independent provider attorney law firms in each state and province

o Phone Consultation with Attorneys/Review of Documents/Phone Calls and Letters for any legal matter and issues regarding identity theft including concerns regarding my: 1) drivers license, 2) medical information, 3) social security number, 4) character/criminal identity, and 5) my credit identity and information

o A Will for me and my spouse o Motor vehicle moving violation representation o Trial defense o IRS audit o Legal Shield 24 hours a day, 7 days a week when arrested or detained o Discounted rate for other legal services

I have seen the presentation with the specific benefits, limitations and exclusions of these plans. The company made these benefits available to me at my expense.

___ I have decided to enroll. ___ I have decided not to enroll in the plan.

Name: _____________________________ Date:_______________________ Signature: __________________________ Witness:_____________________

8. Mitigating Damages

Use of ConfidentialInformation by Employee

♦ It makes Employees aware of their legal responsibilities to protect NPI

♦ It serves as proof that handlers of NPI have completed the training required by law

To potentially protect yourself, you should have all employees sign this document…

Be Sure To Check With Your Attorney Before Using A Form Such As This

8. Continued – This form or one similar to it is required by the FTC for all employees*

* FTC – Protecting Personal Information A Guide For Business pg 15

Use of Confidential Information By Employee

I_______________ As an employee of _________________ I do hereby acknowledge that I must comply with a number of state and federal laws which regulate the handling of confidential and personal information regarding both customers/clients of the company and it’s other employees. These laws may include but not limited to FACTA, HIPPA, the Privacy Act, Gramm/Leach/Biley, ID Theft Laws (where applicable).

I understand that I must maintain the confidentiality of ALL documents, credit card Information, and personnel information of any type and that such information may only be used for the intended business purpose. Any other use of said information is strictly prohibited. Additionally, should I misuse or breach and personal information of said clients and or employees, I understand I will be held fully accountable both civilly and criminally, which may include, but no limited to, Federal and State fines, criminal terms, real or implied financial damage incurred by the client, employee or the company.

I have received a copy of the company’s Sensitive and Non-Public Information Policy. I understand and will fully comply with its provisions along with all other rules and regulations the company has in place regarding the handling of confidential information so as to protect the privacy of all parties involved. I also acknowledge that I have participated in a company sponsored Privacy and Security Identity Theft Training Program.

________________________________________ __________________Employee Signature Date

________________________________________Witness Signature

Disclaimer1. The laws discussed in this presentation are, like most laws, routinely

amended and interpreted through legal and social challenges. You are encouraged to review the laws and draw your own conclusions through independent research.

2. The associate is not an attorney, and the information provided is not to be taken as legal advice.

3. Your particular program must be tailored to your business’s size, complexity, and nature of its operation. Be sure to check with your attorney on how these laws may apply to you.

4. Although our program serves as a potential affirmative defense for your business and greatly increases your protection, this may not be an absolute defense. We make no guarantee that implementing our program will protect the business from all liability.

The Advisory Council was established to provide quality counsel and advice.

Legal Advisory Council

Duke R. LigonAdvisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp

Grant Woods

Advisory Council Member Former Arizona Attorney General

Andrew P. Miller Advisory Council Member Former Virginia Attorney General

Mike Moore Advisory Council Member Former Mississippi Attorney General

Just like other State and Federal laws, privacy and security laws are not optional. We can assist your company in starting the compliance process before a data breach, loss, or theft affects your employees or customers!

Take Charge

We can help provide a solution !

When would you like to schedule your employee training ?

Adrs Presentation March 2008

Education

Transcript of Adrs Presentation March 2008