Red Flags Rule … Ready or not, here I come!

Text from a post at security.perimeterusa.com by Kevin Prince.
———————–
There is a lot of talk about Red Flags. A lot of confusion because the date it goes into effect changed and a lot of people still don’t know if they are subject to it or not.

I was reading an article recently about Red Flags put out by a veterinary association (yes…dogs and cats) which was talking about how veterinary clinics, if they allow customers to defer payments (don’t pay the entire bill at time of service) are subject to Red Flags. This opened my eyes to a much wider array of organizations that Red Flags applies to. If you don’t know for sure if it applies to you, view the FTC’s website and read about it.

Others I have spoken to don’t think there are much in the way of penalties (which is true), so they aren’t that concerned about it. Just because the Red Flag rules don’t include criminal penalties, doesn’t mean you should be concerned. If an organization has a data breach, it is almost certain they will be slapped with one or more lawsuits. Hannaford Brothers is fighting one currently where the people that have filed the lawsuit were in no way negatively impacted by the breach. Heartland Payment Systems has had multiple lawsuits filed against them by shareholders saying that the stock price was impacted and they weren’t properly notified as shareholders of the situation. Heartland Payment Systems stock has dropped 80 percent or more during the period the lawsuit covers. Likely, this is more to do with the economy and credit markets getting worse, and not about the data breach they had. But those that filed the lawsuit may just be using the breach as an excuse to recoup loses from a sharply falling stock price.

Keep in mind that both Heartland and Hannaford were both PCI compliant at the time of the breach. Not that they were secure mind you. But they were “technically” compliant. You can also be compliant with Red Flags and get breached as well. If, however, you live the spirit of the law, and not just the letter, you will be far less likely to experience a data breach because you are protecting sensitive information properly.

Red Flags is just another regulation meant to help curb the rampant growth of identity theft and fraud here in the U.S. I doubt organizations that do not comply with Red Flags will have much of a defense against lawsuits as well as other negative impacts to their business if…or when a data breach occurs.