The Red Flags Rule doesn’t require any specific practice or procedures for your identity theft prevention program. It gives you the flexibility to tailor it to the nature of your business and the risks it faces. The FTC will assess compliance based on the reasonableness of a company’s policies and procedures. Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program; for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business. The FTC has designed a form to help groups at low risk for identity theft put together a program. It’s available at www.ftc.gov/redflagsrule.
"WHETHER YOU COLLECT SOCIAL SECURITY NUMBERS OR OTHER INFORMATION TO VERIFY A CUSTOMER’S IDENTITY DEPENDS ON THE NATURE OF YOUR BUSINESS AND THE RISKS YOU FACE."
The Red Flags Rule also doesn’t require you use Social Security numbers or any other specific identifying information. Whether you collect Social Security numbers or other information to verify a customer’s identity depends on the nature of your business and the risks you face. Actually, collecting a Social Security number by itself is not a reliable way to verify someone’s identity because the numbers are widely available and do not prove a person is who he or she claims to be. However, Social Security numbers can be helpful as part of a more comprehensive identity verification process; for example, as a way to check against information from other sources or as a way to get other information, like a credit report, which can be used to verify a person’s identity.
It’s a good data security practice not to collect more information than you need. If you are asking for a Social Security number, but not actually using it as part of a more comprehensive authentication process, reconsider whether your business really needs to collect and maintain it.
No comments:
Post a Comment