Data Breach Prevention Regulations - Federal
Federal law requires that most businesses comply with the Red Flags Rule by having procedures in place that combat identity theft. Even if a business technically is not required to comply with the Red Flags Rule, plaintiffs litigating against a business that experienced a data breach are arguing that the Red Flags Rule is one of the applicable standards of care.
The “Red Flags” Rule took effect on January 1, 2008. Compliance with this requirement will be enforced by the Federal Trade Commission (“FTC”), federal bank regulatory agencies and the National Credit Union Administration commencing November 1, 2009.
Four steps are required to comply with the Red Flags Rule:
-
Identify indicators of potential identity theft relevant to the business;
-
Establish and use appropriate procedures to detect the potential identity theft indicators;
-
When a potential identity theft indicator is spotted, act to prevent data theft and mitigate any potential harm; and
-
Update the Red Flags compliance program regularly, and educate staff appropriately.
For more than a decade we have helped businesses identify “red flags” to contain cyber perils, including hacking, phishing and other forms of data theft. With this experience, working through the four steps to comply with the Red Flags Rule can be simple and straightforward.