Federal and state Red Flag laws, designed to curb identity theft, are set to take effect Jan. 1, 2010, with Massachusetts enacting the most stringent consumer protection law in the nation, but many of the country’s 11 million small businesses may be unaware of their necessary compliance, according to the Federal Trade Commission.
In 2008, $60 billion was lost and 35.6 million consumer records were exposed due to data breaches and identity theft, a 47 percent increase over 2007, according to the Identity Theft Resource Center.
Organizations that use credit reports, extend credit or defer payments for goods and services are subject to the new identity theft law.
Red Flags requires businesses to develop a comprehensive written identity theft prevention program, to protect consumers and customers from identity theft and related crimes. Organizations impacted by Red Flags have until Aug. 1, to meet requirements.
According to Joel Winston of the FTC, the commission is currently filing cases against companies that do not utilize reasonable measures to secure privacy data. The FTC said it is employing numerous strategies to get the message to the business community about the importance of protecting consumers from privacy information and identity theft.
On Aug. 2, 2007, Gov. Deval Patrick signed into law 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. The law affects virtually every business, including those not located in Massachusetts.
Under these new laws, personal information is defined as first and last name or first initial and last name in combination with any one or more of the following: social security, driver’s license or state-issued identification card numbers, financial account number, credit or debit card number with or without any required security code, access code, PIN or password.
The law mandates that organizations develop a comprehensive written information security program that includes physical security, computer system security, risk assessments and vendor management.
