Red Flag Rules to Decrease Identity Theft9 Oct, 2009 By: Karen Smith imageSource
Red Flag Rules to Decrease Identity Theft
As identity theft and fraud continue to increasingly rise, many organizations, including your
dealership, need to know how to protect themselves and their customers.
According to a study by Javelin Strategy & Research, in 2007 8.1 million
Americans were victims of identity fraud. Many may not realize that the
highest-impact security incidents often originate from within organizations and
have the potential to trigger multiple cases of individual security breaches and
According to a study by the Ponemon Institute in 2009, nearly 60 percent
of employees who quit a job or are asked to leave take proprietary data from
their employer. The Ponemon study found that immediately after employees left
their former company, 61% took paper documents or hard files, 53 percent
downloaded information onto a CD or DVD and 42% downloaded info to a USB
In an economic downturn, incidents of identity theft and fraud tend to
escalate. Organizations can easily be taken advantage of by desperate employees
during times of economic confusion and anxiety. Knowing this, forward-looking
companies will increase their investment in security during difficult times.
According to Ernst & Young’s 2008 Global Information Security Survey, despite
tightening economies worldwide, 50% of companies are set to increase their
information security budgets.
Enforcing a security program that identifies and detects the warning
signs of identity theft is not only a good business practice, it’s the law.
Governments and regulators around the world are now demanding that companies
take responsibility for the security of confidential records.
The Federal Trade Commission (FTC) will implement the “Red Flags Rule”
beginning November 1, 2009. A “Red Flag” is a pattern, practice or specific
activity that indicates the possible existence of identity theft. The Rule
requires U.S. financial institutions and creditors with covered accounts
(creditors include organizations such as finance companies, automobile dealers,
mortgage brokers, utility companies, and telecommunications companies) to have a
standardized program that detects, prevents and mitigates identity theft.
Organizations covered by the Rule must have policies in place to comply with the
new standards to avoid costly fines, regulatory enforcement actions and to avoid
the risk of security breaches. Organizations should consider document
destruction as a key component of their Red Flags Rule policy; to best be
handled by experienced security experts.
Document Destruction Best Practices
Technological innovation, coupled with more stringent legislation, is
changing the information environment and operational practices of many
organizations. For instance, organizations can help themselves avoid security
breaches and achieve compliance by enforcing security measures, such as using an
outsourced document destruction provider and ensuring all confidential documents
are disposed of properly. Timely and frequent document destruction is an
excellent preventive measure to help mitigate identity theft. Additionally,
shredding all confidential waste paper into unrecognizable confetti that is
recycled into new paper products reduces the negative environmental impact of an
In times of recession, businesses tend to look at each line item in their
budget. However, companies should realize that taking risks with the security of
their business & customer information is not a good choice. The potential cost
of litigation, fines, negative media attention and reputation damage caused by a
security breach can be astronomical. According to the document security experts
at Shred-it document destruction, organizations can achieve a 17% productivity
savings when using a professionally-managed document destruction service.
The document destruction process is managed either in-house or by a
third-party provider. Organizations should consider the level of security of
different document destruction methodologies, which vary dramatically based on
the following questions:
• How and where are paper documents stored before they’re destroyed? Any
• Is the same document management and destruction process consistently
• Are all staff committed to the integrity of thedocument destruction
• Are there formal policies in place governing the issues of information
security, such as employee access to sensitive information?
• Is there formal training in secure document management and disposal?
Are employees trained?
• What are the overall attitudes and culture around managing the paper
The Red Flags Rule and Document Destruction Benefits
• Is a preventive measure to help “mitigate” identity theft.
• Is the most secure when it is professionally managed by experienced
• Reduces the risk of security breaches that could cause: loss of
customer trust; loss of reputation; loss of revenue; costly fines.
• Helps to protect brand reputation.
• Facilitates regulatory compliance and helps ensure businesses meet
local, state and federal privacy legislation requirements.
• Limits the number of people handling documents; shreds much larger
volumes quickly compared to in-house shredders.
According to the Ponemon Institute, in 2008 the average total cost of a
data breach was $6.7 million, up from $6.4 million in 2007 and $4.5 million in
2005. In 2008, the per-victim cost of a data breach was $202, up from $197 in
2007, and from $138 when the study was launched in 2005.
Once organizations meet the Red Flags Rule requirements, the FTC may ask
whether the Rule helped more organizations identify the warning signs of
identity theft and prevent or mitigate security breaches. While this issue
likely warrants a larger discussion, it’s safe to say that the requirements
under the Rule will ensure organizations pay close attention to security
measures that could help prevent fraud and identity theft.
Karen Smith, Senior Vice President, Shred-it U.S., is responsible for
Shred-it’s sales, service and operations in the U.S., with over 25 years
experience. Contact her at: email@example.com