‘Leadership’ Articles

FTC Red Flags Rule Goes into Effect June 1st, 2010

The FTC  will begin enforcing the Red Flag Rule on June 1st, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.

In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.

This includes:

• Any Business that Extends Credit
• All Banks
• Most Brokerage Firms
• Credit Card Companies
• Mortgage Lenders
• Non Traditional lenders (utilities, dealerships, health care providers)

Building an Identity Theft Prevention Plan

According to the FTC, the identity theft prevention plan consists of four main parts:

1. Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.
2. Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.

As we discussed in Electronic Information Privacy – Securing Your Job Part I, if you are an employee at a corporation, association, university or small business, you must realize that protecting electronic information and organizational data is vital not only to your company’s profitability, but for your job security.

Here is a crash course on how to promote information security within your company. The most effective way to build a Culture of Privacy is to break it down into 3 simple steps (most corporations skip the first step, dooming them to failure):

1.    Motivate the Individual. Train yourself, your employees and executives on how to protect identity and company information first. Learning the basic principles of privacy at an individual level is a pre-requisite for all subsequent forms of data security, and supplies the necessary motivation to apply the same habits at work. Each employee needs to overcome their own apathy, ignorance and inaction before they are equipped to protect corporate assets.  By making it personal, your executives and employees are acquiring the building blocks necessary to construct a corporate Culture of Privacy. Electronic information privacy training is good for their wellness, and is a means to a safer and more profitable end.

Electronic information privacy will eventually be one of the criteria on your job performance review. In fact, it’s not just electronic data that you should be concerned about, but all data. If you are an employee or executive at a corporation, association, university or small business, you must realize that protecting organizational data is vital not only to your company’s profitability, but to your job security. If it isn’t right now, it will be soon.

As a company employee or business leader, it is essential that you clearly understand the relationship between identity theft, data breach and your bottom line.  One of the costliest data security mistakes I see executives make is that they initially approach data privacy from the perspective of the company. They don’t recognize the following reality: All privacy is personal. It’s not electronic information privacy. It’s not physical data privacy. It’s personal.

In other words, many people in your organization won’t care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them. If employees and executives don’t care about protecting their own identities (to prevent identity theft), how can you expect them to care about protecting corporate identity (to prevent data breach)? Like the emergency oxygen masks on a de-pressurized airplane, you’d better put your own on first or you’ll be worthless to those around you. Protecting yourself first isn’t self-centered; it’s effective and educational. Information Privacy Training begins at the human level and expands outwards to the group level. And it is not technical by nature.

The Department of Defense recently published an article about a speech I gave at the Joint Family Readiness Conference hosted by the Office of Military Community and Family Policy.

Military family members gathered here to learn how to prevent identity theft and I taught them to “think like a spy” in every aspect of protecting their personal information.

To think like a spy requires some specific mindsets and an instant reflex to those who are requesting their personal information. These reflexes are called triggers. I refer to the five triggers as the “Hogwash 5” because when a solicitor says them, your response should be “hogwash.” They are: “trust me,” a claim of protecting finances, asking for a “little bit” more information and things I call “bribe bias and fear bias.”

Preventing identity theft doesn’t have to be difficult, but it does take some effort. You are in control of this amazingly powerful asset called your identity, but you have to be willing to protect the value of that asset.

Click Here to read the entire article.

John Sileo became America’s leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC.  To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076

We’ve gone soft; we fear honesty. I think we even fear being honest with people more than we fear people being honest with us. Honesty has become synonymous with ugly confrontation, rather than just being, well, honesty.

Yesterday, a good friend emailed me a two sentence note reminding me that I hadn’t done something that I’d promised I would do. What I had promised is immaterial to this post, but that I had promised to do it, and then failed, is very important. I gave my word to a good friend, and then ignored my promise. And he had the guts to remind me. In fact, he’s laughing at me right now that I even consider his reminder to be a big deal, because to him it would be phony not to remind me. That’s who he is. And he’s a better friend for it. And in no way could what he did be called confrontational. Direct, yes. Honest, yes.

Here’s the striking part that makes me uncomfortable — I only have THREE friends (in addition to my wife, who is my honesty compass) who have the backbone to call me on something like this. And that makes me sad, because I have many friends, and it means that most of the time I’m probably not hearing the whole truth, maybe just a watered down version of what they think I want to hear. And who knows, maybe that is what I want to hear. Worse yet, I’m not sure I would have confronted me like my friend did (even though it was something minor), which means that I’m no better that those I’m condemning as soft.

Only in California! A Huntington Beach woman used another woman’s identity to pay for breast implants and liposuction. At first glance, it’s a laughable story. But imagine being the woman who has to prove that she wasn’t the augmentation recipient! Remember, with identity theft, you are guilty until you prove yourself innocent. Medical identity theft will take us to new and embarrassing depths in order to prove that we are innocent. It will give new meaning to the phrase “bearing witness”. And it prompts the question of why we don’t have a set of universal rules that govern our personally identifying information?

On a related note, I recently became involved with the Santa Fe Group which published an excellent white paper informally known as the Identity Theft Bill of Rights. Registering for a download of the paper is well worth your time – it does an excellent job of summarizing the identity theft issues that we, as Americans, face in the coming years. It includes discussions about modifying language in HIPAA to protect against medical identity theft crimes similar to and far more serious than the Huntington Beach case.

As our population grows older on the shoulders of the baby boomers, medical identity theft and its cousins will become ever more prevalent and damaging. Help us fight for our identity rights by getting involved. Start by registering for a webinar put on by the Santa Fe Group called:

Victims’ Rights: Fighting Identity Crime on the Front Lines

Here is the recent press release from the Santa Fe Group announcing the Bill of Rights:

At the Privacy Project, our success is your nightmare (unless you are my speaking agent).

Business at the Sileo Group and engagements as an identity theft speaker are up 400% compared with the same period last year. I am booked for exactly 4X as many identity theft prevention and privacy leadership speeches in the first quarter of 2009 as I was in 2008; and 2008 brought me more work than I could handle on my own. Some of this is due to an extensive contract with the Department of Defense, but not all of it.

I’m not sharing our success to blow my own horn, though admittedly, it is satisfying to finally share some good news with you after having lost so much to this crime.

I’m sharing because our success gave me cold sweats at 3am this morning.

Why? Because the strength of my business is inversely proportional to the safety of yours. My business is thriving because identity theft is thriving, and that is not my purpose for being in business. I am in the identity theft prevention business to put myself out of a job. When I say it keeps me awake at night, I’m being sincere. At 3am this morning, I spent several hours deciphering the underlying causes responsible for the exploding demand for identity theft speakers… even as the meetings and speaking business has suffered drastically at the hands of the spiraling economy. And then it came to me; I realized that the answer was contained in the question…

Technology is not the root cause of identity theft, data breach or cyber crime.

We are.

Too often, technology is our scapegoat, providing a convenient excuse to sit apathetically in our corner offices, unwilling to put our money where our profits are. Unwilling, in this case, to even gaze over at the enormous profit-sucking sound that is mass data theft. The deeper cause of this crisis festers in the boardrooms of corporate America. Like an overflowing river, poor privacy leadership flows inexorably downhill from the CEO, until at last, it undermines the very banks that contain it.

The identity theft and data breach bottom line?