Wonders of the Modern Business World

Perhaps you are familiar with the Library at Alexandria – at its peak, it boasted around 700,000 painstakingly acquired scrolls, making it the largest assembly of information in the ancient world. While the exact details of its demise are disputed, it is known that the last repository of its once-fabulous collection was destroyed at the end of the fourth century A.D. Naturally, while it was difficult to replace seven centuries of knowledge, it was important to try: in 1974, serious planning began for the Bibliotheca Alexandrina, which was inaugurated in 2002 near the site of the original library. It is estimated that it will take approximately eighty years to fill the state-of-the-art structure to capacity.

Odds are good that your business doesn’t have 1600 years to recover from disaster, or even eighty to get back on track. Data compiled by the Disaster Recovery Institute finds that the majority of businesses that are unable to quickly recover computer operations after experiencing a serious loss of critical data will fail within two years. Several things contribute to this unfortunate statistic:

• bad publicity
• loss of customer confidence
• loss of internal workflow
• loss of sales capability
• inability to process customer orders
• loss of cash flow
• high cost of manual restoration of critical databases

Many companies are aware of the need to back up their server and keep the tapes offsite. What they are not aware of is the depth of contemporary records management and the way it is used in not only disaster recovery, but in business efficiency, cost reduction, regulatory compliance, and an evolution into an eco-friendly paperless environment. Over the next few days, we’ll be exploring the world of ERM, ECM, BPM, and a whole host of other acronyms that mean nothing to you now, but could make a huge difference in your organization.

Community Shred Day

Looking for some "Go Green" baby steps?

• According to Forrester Research, a copier, two printers, and a fax machine use a combined 1400 kWh per year. A multi-function device performing equivalent tasks uses only 700 kWh per year. That's half the energy and one-fourth the owner's manuals!



• A case of copy paper (5000 sheets) costs an average of $40. Conservatree estimates that same case of paper to use approximately 60% of a tree. What does that mean in terms an office manager can relate to? A filing cabinet holds approximately 10,000 sheets of paper. That paper costs the company about $80 and the environment 1.2 trees (and that's just the paper, not the folders). Ten filing cabinets will cost $800 and twelve trees.
  
  Consider the size of that cost for a moment. Now consider the cost of 500 MB worth of storage (that's less that one CD) that will hold an entire filing cabinet of information in a paperless environment. Those ten filing cabinets comprise about 5000 MB of storage - the size of one DVD plus half of a CD.



• Using recycled paper and shredding with a company that uses a paper mill for recycling provide a two-fold boost for the trees. Paper containing 30% post-consumer content saves almost 2% of a tree per ream or 18% per case. Paper with 50% post-consumer content saves 3% per ream or 30% per case.

Responsible Business Practices = Customer Retention

In the current climate of uncertain finances and regular reports of identity theft and fraud, consumers are looking more closely at where they put their business. From purchasing an automobile or a cell phone plan to choosing a bank or a doctor, we are all thinking twice about what we can afford to spend and who we can afford to spend it with. With that in mind, there are a few things to consider in your records management practices.

For starters, most industries are under some form of legislation regulating how they must maintain their records. It goes without saying that some of the rules can be vague at best and downright tedious at worst. However, if you take the extra time to reorganize your business practices to work with these rules instead of making small concessions to skate by, you are often going to find that your business will begin to operate more smoothly and give you less cause for panic when an audit or inspection rolls around.

Secondly, how much data do you really require on each customer or patient in your records? According to the New York Times (4/5/09), professors at The Wharton School view retention of any personal data as a liability and strongly recommend keeping the amount of information in your possession to a minimum. Do you really need that social security number? Last three employers? Credit card number? If you don't have to have it, don't put your clients (and yourself) at risk by keeping it in your files.

Finally, use your records management practices as a marketing tool. Are you archiving your hard copies at a secure offsite facility rather than within the grasp of every new employee that walks through the door? Are you shredding confidential information with a bonded company rather than throwing your shredded (or, Heaven forbid, unshredded) documents in the dumpster? Are you keeping your records backed up offsite or in the cloud in case of disaster? Your customers will value the security and be far more likely to keep their trust in you when they are cutting budgets if you can show them that you take their peace of mind seriously.

Red Flagging the Telecom Company

While the Red Flags Rule has basically the same end result for all entities required to be in compliance, the specifics of how this affects individual industries can become confusing. Today's article from the FTC takes a look at telecommunications companies.

The “Red Flags” Rule:
What Telecom Companies Need to Know About Complying with New Requirements for Fighting Identity Theft

by Tiffany George and Pavneet Singh
Federal Trade Commission

As many as nine million Americans have their identities stolen each year. The crime takes many forms. Thieves may buy a car, obtain a credit card, or establish telephone or Internet service using someone else’s identity. Consumers may not find out they’re victims of identity theft until they review their credit reports or read their monthly statements and notice charges they didn’t make – or until they get a call from a debt collector.

For millions of consumers, identity theft inflicts economic, psychological, and emotional harm. Victims may have to spend money and time repairing the damage to their good name and credit record. The cost to business can be staggering as well, with charges racked up by identity thieves unpaid and uncollectable.

Telecommunications companies may be the first to spot the red flags that signal the risk of identity theft, including suspicious activity suggesting that crooks may be using stolen information to establish service. That’s why you need to know about a new law that requires many businesses – including most companies that provide telecommunications services to consumers – to spot the red flags that can be the telltale signs of identity theft and do something about them.

The new regulation – called the Red Flags Rule – requires companies to develop a written “red flags program” to detect, prevent, and minimize the damage that could result from identity theft. The Federal Trade Commission, the nation’s consumer protection agency, enforces the Red Flags Rule.

The FTC will begin enforcing the Rule on May 1, 2009. Is your company required to comply with the Red Flags Rule? If so, what’s your next step?

WHO MUST COMPLY

Companies that provide telecommunications services may be covered by provisions of the Rule that apply to “creditors.” The Rule includes some specific definitions and exceptions, but it boils down to this: If your company regularly bills customers after services are provided, you are a creditor under the new law and will have to develop a written program to identify and address the red flags that could indicate identity theft in your covered accounts. The rule defines a “covered account” as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft.

SPOTTING RED FLAGS

The Red Flags Rule gives telecom companies the flexibility to implement an identity theft prevention program that best suits their business, as long as it conforms to the Rule’s requirements. The Rule requires that your program identify relevant red flags, detail your process for detecting them, describe how you will respond to them to prevent and mitigate identity theft, and spell out how you will keep your program current. Many companies already have fraud detection or prevention procedures they can incorporate into their program. Your program should be appropriate to the size of your organization, as well as to the nature of your business.

What red flags signal identity theft? There’s no standard checklist, but here are a few signs that may arouse your suspicions:

• Alerts, notifications or warnings from a consumer reporting agency. For example, if a fraud alert is included with a credit report, federal law requires you to take reasonable steps to verify the identity of the customer who wants to open an account with you. If you find out that there’s a credit freeze in place, you may want to follow up and ask for more information.
• Suspicious documents. Has an applicant given you identification documents that look altered or forged? Is the physical description on the identification inconsistent with what the applicant looks like? Is other information on the identification inconsistent with what the customer’s told you? More investigation may be required.
• Suspicious personally identifying information. Personal information that doesn’t match what you’ve learned from other sources may also be a red flag of identity theft. For example, if the current address doesn’t match the address in the consumer report – or if the Social Security Number doesn’t match the date of birth – fraud could be afoot. If the address on the application is fictitious or a mail drop – or if the only contact information is a pager – there may be a problem.
• Suspicious activity relating to a covered account. Did a customer ask for a new cell phone or add a new authorized user soon after a change of address? Did a customer’s use patterns abruptly change? Did a new customer fail to make the first payment or make an initial payment but no others? Is mail returned repeatedly as undeliverable even though transactions still are being conducted on the account? Don’t ignore the voice of experience when it tells you that something seems questionable.
• Notices from victims of identity theft, law enforcement authorities, or others suggesting that an account may have been opened fraudulently. Cooperation is key. Heed warnings from others that identity theft may be ongoing.

Of course, a red flag by itself may not indicate ID theft, but may be relevant in a larger context.

SETTING UP AND WRITING DOWN YOUR RED FLAGS PROGRAM

Once you’ve identified the red flags that are relevant to your business, your program should include the procedures you have put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? Will you close questionable accounts or monitor them more closely? Will you contact the consumer directly? When automated systems detect red flags, will you manually review the file? Finally, because identity theft threats change, consider how you will keep your program current to ensure you address new risks and trends.
No matter how good your program looks on paper, the true test is how it works. According to the Rule, the program must be approved by your Board of Directors or – if your company doesn’t have a Board – by a senior employee. The Board may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff, and provide a way for you to monitor the work of your service providers. The key is to make sure that all members of your staff are familiar with the Rule and the new compliance procedures.

WHAT’S AT STAKE

Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your customers that you are doing your part to fight identity theft.

For more information about designing a compliance program and your compliance responsibilities, email RedFlags@ftc.gov or visit ftc.gov.

Tiffany George and Pavneet Singh are attorneys in the Federal Trade Commission’s Bureau of Consumer Protection.

The Red Flags Rule

Over the next few days, we'll be sharing some information on the Red Flags Rule as provided by the FTC. More information on business compliance can be found at their new how-to guide.

The “Red Flags” Rule: Are You Complying with New Requirements for Fighting Identity Theft?

by Tiffany George and Pavneet Singh

The expression “red flag” signals “Danger: Be alert to problems ahead.” For millions of consumers every year, identity theft is more than a threat — it’s their reality. The economic, psychological, and emotional harm to victims can be devastating. But businesses often bear the biggest part of the monetary damage from identity theft.

It’s everyone’s responsibility to do what they can to fight identity theft. But businesses and organizations that offer credit or other financial services can be the first to spot the red flags that signal the risk of identity theft, including suspicious activity indicating that identity thieves may be using stolen information like names, Social Security numbers, account numbers, and birth dates to open new accounts or raid existing ones.

Under the Red Flags Rule, which went into effect on January 1, 2008 *, certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule — enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) — you may need to develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.

Are you covered by the Red Flags Rule? If so, have you put into place the new procedures the Rule requires?

Who Must Comply

Although every business or organization with an ongoing relationship with consumers should keep an eye out for the possibility of identity theft, the Red Flags Rule applies only to “financial institutions” and “creditors." To determine if your business or organization is covered by the Rule and required to develop a written identity theft Program, you’ll need to answer two questions:

Is your business or organization either a “financial institution” or “creditor,” as those terms are defined in the Rule?

If so, do you have “covered accounts”?

A “financial institution” is a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers. Examples include checking accounts, savings accounts that permit automatic transfers, and share draft accounts. Another example would be a brokerage account that allows consumers to write checks.

Your business or organization is a “creditor” if you regularly:

• extend, renew, or continue credit;
• arrange for someone else to extend, renew, or continue credit; or
• are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.

If you determine you’re a financial institution or a creditor, the next step is to see if you have “covered accounts.” There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts.

The other is one for which there is a foreseeable risk of identity theft. For example, one type of account that should be considered for coverage because it may be vulnerable to identity theft is a small business or sole proprietorship account. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed — i.e. what type of interaction and documentation is required — as well as your experience with identity theft.

If your business or organization is a financial institution or creditor, but does not have any covered accounts, you don’t need a program. But if you have covered accounts, you must develop a written program to identify and address the red flags that could indicate identity theft.

How To Comply

The Rule doesn’t tell you specifically what your red flags program must look like. Instead, it gives you flexibility to implement a program that best suits your business or organization, as long as it meets the Rule’s requirements.

Your starting point for developing a program is the Guidelines issued with the Red Flags Rule, available at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. (The Guidelines are on pages 63773-63774 of the document.) The Guidelines list the issues you must consider in developing and maintaining a program appropriate for your business or organization. You also should draw on your own experience and knowledge about identity theft risks in developing your program.

There are four basic steps to designing a program to comply with the Rule:

• Identify relevant red flags;
• Detect red flags;
• Prevent and mitigate identity theft; and
• Update your program periodically.
  

In addition, your program must spell out how it will be administered. The program should be appropriate to the size and complexity of your company or organization, as well as the nature of your operations.

Identify Relevant Red Flags

Under the Rule, financial institutions and creditors with covered accounts must develop a written program to identify the warning signs of identity theft.

The Guidelines describe the following categories of warning signs — red flags — that your program must identify and address:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information;
• suspicious activity relating to a covered account; or
• notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

When identifying red flags, consider the nature of your business and the type of identity theft to which you might be vulnerable.

Detect Red Flags

Once you’ve identified the red flags that are relevant to your organization or business, you must establish policies and procedures to detect them in your day-to-day operations.

For example, you may spot red flags when you verify a consumer’s identity, authenticate customers, monitor transactions, or verify requests for changes of address. Some red flags may seem harmless on their own, but can signal identity theft when paired with other events, say, a change of address coupled with the use of an address associated with fraudulent accounts.

Prevent and Mitigate Identity Theft

Your program must include appropriate responses to your red flags to prevent and mitigate identity theft. These responses could include monitoring an account, closing an account, not opening a new account, contacting the consumer when you spot a red flag, or a combination. Sometimes you may determine that no response is necessary. In other cases, certain events — such as a recent data breach, a phishing fraud that targeted your business or organization, or another suspicious activity — may raise the risk of identity theft and require specific preventive actions.

Update Your Program Periodically

Because identity theft threats change, your program must describe how you will update it to ensure that you are considering new risks and trends.

Administering Your Program

No matter how good your program looks on paper, the true test is how it works. Your program must describe how it will be administered, including how you will get the approval of your management, maintain the program, and keep it current.

According to the Rule, your program must be approved by your Board of Directors or, if your business or organization doesn’t have a Board, by a senior employee. The Board or designated senior employee also must approve any material changes to the program. Your program should include staff training as appropriate, and provide a way for you to monitor the work of your service providers. The keys are to maintain oversight of the program, keep it relevant and current, and ensure that all necessary members of your staff — from the boardroom to the mail room — are on board. A program that stays in a filing cabinet isn’t a good program.

Penalties for Noncompliance

Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties. But there’s an even more important reason for compliance: It’s just plain good business. It assures your customers that you are doing your part to fight identity theft.

Have questions about how health care providers can comply with the Rule? Email RedFlags@ftc.gov.

* On October 22, 2008, the Federal Trade Commission issued an Enforcement Policy statement that delays enforcement of the Red Flags rule until May 1, 2009 (http://www.ftc.gov/opa/2008/10/redflags.shtm). Although the Rule is in effect, the FTC will wait until May 2009 to enforce it. This does not affect enforcement of the address discrepancy and credit card issuer rules. Nor does it affect compliance for entities not under the jurisdiction of the Commission.

Tiffany George and Pavneet Singh are attorneys in the Federal Trade Commission’s Division of Privacy and Identity Protection.

Speaking of Taxes...

The thought of an IRS audit is not one most would entertain with open arms, but the possibility of being chosen is a fact of doing business in the United States. To come through it without fines and legal drama, you must have absolutely thorough documentation; this includes everything from your filed returns to your receipt for a small charitable donation. Perhaps the record of its existence is noted in your accounting software, but there can be a big step between knowing (or hoping) something exists and knowing where to find it.

Despite their best efforts, many businesses simply don’t have the filing system or the data security in place to produce said documentation without a scouring of multiple locations and a trip or two to the accountant. Compounding the problem is the likelihood that an employee has inadvertently misfiled a piece of paper that you need, or worse, thrown it out in an effort to manage the disarray.

In addition, you cannot afford the potential consequences of being non-compliant with rapidly changing government regulations. It is difficult to stay on top of records retention requirements to begin with, and putting an effective schedule in place can be nearly impossible for the reams of printed data a business produces in a year. This generally results in one of two things: either the information is kept too long, causing storage needs and expenses to spiral out of control, or it is thrown away too soon, which can put you at risk for exorbitant fines and publicity you don’t want.

So what is the answer? At the very least, each year’s records and receipts should be boxed together in meaningful files, and any electronic data should be backed up; this information should then be sent off to a secure off-site location where it can be indexed for easy retrieval and scheduled for destruction where recommended. This not only puts your data where you can find it, it secures your sensitive information from inquisitive employees with a key to the filing cabinet.

However, this still leaves your files on paper, which happens to be a vulnerable substance. To put your files in the safest place possible, they should be scanned to a secure server where they will be even more accessible to you, but protected from catastrophe by multiple back-ups. Many agencies, including the IRS, now allow for the destruction of certain paper documents as long as an electronic version exists.