Information Security News

Tomorrow, the House of Representatives Finance Committee will meet to review a possible amendment to the FACT Act that will allow businesses in law, accounting, or healthcare with fewer than 20 employees to exempt themselves from compliance with the Red Flag Rules. We believe this amendment is wrong, for several fundamental reasons:

1. It fails to reflect the reality of modern life. The amendment proposes to exempt businesses that identity theft has not affected. However, identity theft is our nation’s fastest-growing crime. 10 million Americans are victims each year. Medical identity theft is one of the fastest-growing areas of the crime. Should a driver be exempt from buying car insurance because he has never been in an accident?

2. It fails to recognize the interconnectedness of modern business. Why did our economy fall so far, so fast in late 2008? Because businesses in every industry were connected, and when the first began to fall, the rest followed like dominoes. The amendment as written implies that small-town doctors, lawyers, and accountants who “only serve their immediate residential area” are exempt from ID theft. However, each of those businesses is connected – to an insurer, a bank, a billing service, or other entity that works with their customer or patient files. The Red Flag Rules specifically call upon compliant businesses to make sure that their vendors and suppliers are also compliant. Should a large outsourced billing company face increased risk because they do business with a small-town physician?

3. It fails to explain why some businesses are different than others. Why does the amendment only allow exemptions for lawyers, accountants, and medical practices? Yes, those businesses have a professional code of confidentiality in many cases. However, aren’t banks, credit unions, mortgage companies, insurers, and auto dealers expected to maintain some degree of security over customer data? Isn’t it possible that a small company in one of these industries has the same level of recognition with its customers?

An idBUSINESS customer in the metro New York City area (name withheld) is a small mortgage brokerage in a neighborhood that is defined by its orthodox religion. Everyone who lives in this neighborhood knows everyone else – it is as isolated of a community as you may find. The customer called us and asked why the business needed to comply, as 100% of their loans were written when homes passed from one generation to the next, or as refinances to existing customers.  Then, the customer mentioned a note received in the mail, from a large lender. The note asked that this brokerage develop a standard Red Flag procedure to ensure that loans were processed quickly and smoothly. Even this business, with direct knowledge and recognition of every single borrower, realized that it was connected to other entities, and had a responsibility to comply in order to keep the larger system running efficiently to everyone’s benefit – including the borrower.

We at idBUSINESS are not profiteers. We are passionate about information security and driven to see small businesses secure before it’s too late. We are backed by national leaders in data breach services and forensics, with the team that helped victims of Hurricane Katrina and US Veterans who have been affected by identity theft. We will gladly demonstrate our product to Representative Adler of New Jersey, who introduced the amendment. And we thank every business who has proactively complied with this law because they saw that it was the right thing to do for their customers.