graduate school of credit and financial management

GSCFM 2014GSCFM 2014 11

GRADUATE SCHOOL OF CREDIT GRADUATE SCHOOL OF CREDIT AND FINANCIAL MANAGEMENTAND FINANCIAL MANAGEMENT

Wanda Borges, Esq.

Borges & Associates, LLC

575 Underhill Blvd.

Syosset, NY 11791

516-677-8200 x 225

[email protected]


PRIVACY ISSUESPRIVACY ISSUESIDENTITY THEFT PREVENTIONIDENTITY THEFT PREVENTION

Increased concern over identity theft

Increased risks of money laundering

Risks of computerized data breach



STATUTESSTATUTES

GRAMM-LEACH BLILEY – 1999 Among the first of its kind NotNot applicable to commercial business

transactions Protect consumers’ nonpublic personal

information from foreseeable threats in security and data integrity.

Nevertheless – set the standard for Safeguards



STATUTESSTATUTES GLB’s Safeguard Rule

Ensure security and confidentiality of customer information

Protect against anticipated threats or hazards to security or integrity of such information

Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to the customer

PRIVACY ISSUESIDENTITY THEFT PREVENTION

STATUTES USA PATRIOT ACT – 2001

“Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”

Passed into law – October 26, 2001 After the 9/11 attacks

Primary Focus: Deter and Punish Terrorist Acts [Anti-terrorism] Enhance Law Enforcement Investigatory Tools

GSCFM 2014 5


STATUTES USA PATRIOT IMPROVEMENT AND

REAUTHORIZATION ACTION OF 2005 Together these Acts commonly referred to as The USA

PATRIOT ACT Section 326 – Anti Money-laundering section

Requires Financial Institutions to set up and maintain Customer Identification Programs (CIP’s)

GSCFM 2014 6

PROTECTING PERSONAL INFORMATION

FEDERAL TRADE COMMISSION Issued “A Guide for Business”

Premise – Companies keep sensitive personal information on files

Names, Social Security Numbers, credit card or other account data necessary to:

Fill orders Meet payroll Perform other necessary business functions

GSCFM 2014 7

DATA SECURITY PLAN

Take stock of what personal information is maintained in files and on computers

Keep only what is necessary for business operations

Lock and protect kept information Properly dispose of what you no longer need Create a plan to respond to security incidents

GSCFM 2014 8

DATA SECURITY PLAN

Keep only what is necessary for business operations If you really don’t need it, don’t’ keep it Electronically printed credit and debit card receipts

must be shortened or truncated Check and change, if necessary, any default settings on

software (that may keep information indefinitely) Develop a written records retention policy

GSCFM 2014 9

DATA SECURITY PLAN

Lock and protect kept information Physical security Electronic security Employee training Security practices of:

Contractors Service providers

GSCFM 2014 10

DATA SECURITY PLAN

Properly dispose of what you no longer need Wipe computers clean of old data when disposing of

computer FACT Act Disposal Rule

Burn Pulverize Shred

GSCFM 2014 11

DATA SECURITY PLAN

Create a plan to respond to security incidents Have a Plan in place to respond to security incidents Designate a senior member of staff to coordinate and

implement response plan If computer has been compromised, disconnect it

immediately from Server and/or Internet Investigate Security incidents immediately Take steps to thwart vulnerabilities and threats Consider whom to notify in the event of a security

incident

GSCFM 2014 12

1313


STATUTES

GENERAL INFORMATION

Whenever the word “person” is used, “person” includes: corporation, limited liability company, partnership, limited liability partnership and most other artificial entities

GSCFM 2014



State Statutes’ AwarenessState Statutes’ Awareness

CALIFORNIA Various bills 2003, 2005, 2006 Strictest disclosure and security procedure requirements in

the country Borrowed standards from GLB & HIPAA Not limited to records located in California



State Statutes’ AwarenessState Statutes’ Awareness CALIFORNIA Three requirements on businesses:

Notify California residents when security of personal information has been compromised

Notify California residents when information is shared with a third party

Maintain reasonable security procedures to protect personal information




INDIANA (since 2006) Regulates ANY company which owns or uses personal

information of Indiana residents for commercial purposes regardless of whether the company otherwise is doing business in Indiana



State Statutes’ AwarenessState Statutes’ Awareness INDIANA Develop and implement security procedures Protect individuals’ non-public personal information If a breach occurs, report the event to the

consumer, state agencies and national credit reporting agencies



State Statutes’ AwarenessState Statutes’ Awareness INDIANA – Recommended Program

Designate an employee to coordinate Identify reasonably foreseeable internal and external risks to

security Assure contractors are capable of maintaining appropriate

safeguards Continually evaluate to reflect new circumstances Provide consumer notification plans in case of inadvertent data-

security breach

GSCFM 2014


State Statutes’ Awareness

MASSACHUSETTS – 2007 but compliance mandatory 2010 Applicable to all “who own, license, store or maintain

personal information about a resident of the Commonwealth of Massachusetts.”

NOT NOT limited to records located within the Commonwealth.

19

GSCFM 2014


State Statutes’ Awareness MASSACHUSETTS – WISP [Written

Information Security Program] Ensure the security and confidentiality of personal

information; Protect against any anticipated threats or hazards to

the security or integrity of such information Protect against unauthorized access to or use of such

information in a manner that creates a substantial risk of identity theft or fraud.

20

GSCFM 2014


State Statutes’ Awareness MASSACHUSETTS – cont’d

201 CMR 17.00 Compliance Checklist can be found at:

http://www.mass.gov/ocabr/docs/idtheft/compliance-http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf checklist.pdf

21



State Statutes’ AwarenessState Statutes’ Awareness Missouri Personal Information Data Privacy

Notification and Encryption Laws: Section 407.1500 (2009) Any person that owns or licenses personal

information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach.

2323


State Statutes’ Awareness NEW YORK

GENERAL BUSINESS LAW §899-aa

STATE TECHNOLOGY LAW §208

Effective December 2005

GSCFM 2014

2424


State Statutes’ Awareness NEW YORK Definition of Personal Information (Private

information) An individual’s first name or first initial and last

name linked with any one or more of the following data elements, when either the personal information or data element is not encrypted or encrypted with an encryption key that has also been acquired

GSCFM 2014

2525


State Statutes’ Awareness NEW YORK DATA ELEMENTS

Social security number Driver’s license number or non-driver identification

card number Account number, credit or debit card number, in

combination with any required security code, access code, or password that would permit access to an individual’s financial account

GSCFM 2014

2626


State Statutes’ Awareness NEW YORK APPLICABLE TO:

Any person or business which conducts business in New York State, and which owns or licenses computerized data which includes private information

GSCFM 2014

2727


State Statutes’ Awareness NEW YORK REQUIREMENTS:

Disclose any breach of the security of the system following discovery or notification of the breach in the security of the system

Notify any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.

Notify as expeditiously as possible and without unreasonable delay Consistent with the legitimate needs of law enforcement Consistent with any measures necessary to determine the scope of the

breach and restore the reasonable integrity of the system

GSCFM 2014

2828


State Statutes’ Awareness

TEXAS BUSINESS & COMMERCIAL CODE ANNOTATED §521.053

EFFECTIVE DATE: September 1, 2005

GSCFM 2014

2929


State Statutes’ Awareness TEXAS DEFINITION OF PERSONAL

INFORMATION: Information that alone or in conjunction with other information

identifies an individual, including an individual’s: Name, social security number, date of birth, or government-

issued identification number; Mother’s maiden name; Unique biometric data, including fingerprint, voice print, and

retina or iris image Unique electronic identification number, address, or routing

code; and Telecommunication access device as defined by Section 32.51

Penal Code

GSCFM 2014

3030


State Statutes’ Awareness TEXAS SUMMARY:

A person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of Texas whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The disclosure shall be made as quickly as possible, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

GSCFM 2014




TEXAS implement and maintain reasonable procedures, to

protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.

destroy records not to be retained by: shredding, erasing; or making information unreadable or indecipherable through any means.


FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAGS RULERED FLAGS RULE

in Summaryin Summary

Enacted 2007

Enforcement Began January 1, 2011

Picks up where data security leaves off




Seeks to prevent identity theft by ensuring that you and your customer are on the lookout for crooks who might obtain and use someone else’s information

Applicable to: Financial Institutions Creditors with “covered accounts”




The definition of “creditor” under the “Red Flags” Rule is broad

A trade creditor may be includedRed Flag Program Clarification Act of 2010

has clarified when a trade creditor is or is not a “creditor” under the Red Flags Rule


FEDERAL TRADE COMMISSION’SFEDERAL TRADE COMMISSION’SRED FLAG PROGRAM RED FLAG PROGRAM

CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Limits applicability of the “Red Flags”

Rules to a creditor (including a trade creditor) as defined in the Equal Credit Opportunity Act that regularly, and in the ordinary course of

business



CLARIFICATION ACT OF 2010CLARIFICATION ACT OF 2010Cont’d.Cont’d.

Obtains or uses consumer reports in connection with a credit transaction,

Furnishes information to consumer reporting agencies in connection with a credit transaction, or

Advances funds to or on behalf of a person based on that person’s obligation to repay the funds or repayable from specific property pledged by or on behalf of that person




Advances funds refers to money, rather than goods or services

This category of “creditors” applies only to entities making loans.




A Trade creditor is included which Relies on an individual credit report in making credit

decisions Whether the report is on the principal of a small

business Or on a personal guarantor Or on a non-corporate entity




A Trade creditor is NOT included which Only deals with established corporate entities Does not rely on personal consumer credit reports Does not furnish information to consumer reporting

agencies Does not make loans to individuals




“Covered Account” includes: any account that a creditor (or financial

institution) offers or maintains for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the creditor or financial institution.

Consumer Accounts for personal, family or household use.




Risk Assessment Business must first assess the level of risk

Creditors dealing with small businesses and personal guarantors have a high risk level

Creditors dealing only with large corporate customers and no personal guarantors do not have to comply with the Red Flags Rules

Written “Red Flags” Program must be developed, administered and updated.




Identify the “red flags” which will alert your business to a problem

A Red Flag is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft, e.g.:

A customer using a credit card for payment and does not have the proper identity code

A customer ordering an unusual quantity or type of produce

A customer requesting delivery to a new or unusual location




Detect the “red flags” Verify any new or unusual locations Contact customer personally if any

information or request seems unusual] Verify customer even exists which is using a

cell phone only Verify an email account if it appears generic Confirm that the business or person you are

dealing with really exists




Respond to “red flags” Once you have identified your “red flags” and

have detected them, your program should set forth a procedure for how you are going to deal with them.

Response may be as simple as contacting the customer for further verification; or

Response could include notifying law enforcement officers



in Summaryin Summary If you are a creditor as defined above,

then Administer and Update your “Red Flags”

program Proper training of all personnel is required Periodic review of your “Red Flags” program is

required Board of Directors must write and administer the

“Red Flags” Program – or A Senior Executive (e.g. credit manager) may be

designated as the responsible person to write and administer the program.




If you are NOT a creditor as defined above, then

If your company sells on a purely B2B basis

Your company does NOT have to comply with the “Red Flags” Rules

graduate school of credit and financial management

Documents