BreachExchange mailing list archives
Re: fringe Federal law and ID theft prevention
From: "Derek Rigsby" <Derek.Rigsby () idcure com>
Date: Thu, 4 Sep 2008 12:16:53 -0600
Training new employees is important. They are a strange breed; not just your first line of defense against fraud but they are also the most likely person to steal the information that they have legitimate access to. Too often good employees see problems and potential holes in their organizations information security policy but do not know how or if they should bring them up to senior management. Education is necessary to combat fraud and identity theft but any company will need the buy in from senior management for any policy to be effective. The Red Flag Rule states that the policy must be administered by a board of directors, or in the case of smaller entities that may not have a board of directors, a member of senior management. Together proper education of all employees and senior management driving the operational and cultural changes necessary to implement a formal red flag policy is a step in the right direction. What is equally important and something I did not notice in the referenced document is the vendor integrity requirement of the law. A covered entity must ensure not only its own compliance, but also must consider the information security posture of any vendor, supplier or third party provider with whom it exchanges sensitive data or whom has access to sensitive data. All too often we hear about a loss of data where a third party vendor mishandled a consumer's PII. It is apparent in today's world that organizations need to train their employees regularly and have senior management coordinate the cultural and operational changes but it is equally important to know that vendors and suppliers are doing the same. If your organization does everything properly and one vendor or supplier does not share the same kind of reverence for protecting PII your company is still at risk. Derek Rigsby Vice President Product Development idBUSINESS / idCURE Denver, Colorado 720.278.0756 - Mobile Derek.Rigsby () idCURE com <https://secureidcure.myhsphere.biz/../index.cfm> -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Michael Hill, CITRMS Sent: Thursday, September 04, 2008 11:03 AM To: Henry Brown; dataloss () attrition org Subject: Re: [Dataloss] fringe Federal law and ID theft prevention I want to add one thing to this very informative article from Jones Day written by Kevin Sykes that I believe is an important part of the administering of the "Identity Theft Prevention" program under the Red Flag Rules. As a consultant who has assisted many companies in their ID Theft program, training their employees on the program and the reality of identity theft is an absolute must for all businesses. I think its .90(e) in the rules. We read article after article on this webboard about data breaches and the loss of PII and it seems the human element plays a VERY big part. To not train ALL your employees, I think would be leaving your business open to even more liability. Yes, even the warehouse personnel as well. Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 www.idtheft101.net
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- fringe Federal law and ID theft prevention Henry Brown (Sep 04)
- Re: fringe Federal law and ID theft prevention Michael Hill, CITRMS (Sep 04)
- Re: fringe Federal law and ID theft prevention Derek Rigsby (Sep 04)
- Re: fringe Federal law and ID theft prevention Adam Shostack (Sep 04)
- Re: fringe Federal law and ID theft prevention Derek Rigsby (Sep 04)
- Re: fringe Federal law and ID theft prevention Adam Shostack (Sep 04)
- Re: fringe Federal law and ID theft prevention Derek Rigsby (Sep 04)
- Re: fringe Federal law and ID theft prevention Michael Hill, CITRMS (Sep 04)