Shopping Cart

Red Flags Rule

Red Flags Rule

The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003[3] (FACTA).

FACTA was put in place to help

  • Identity Theft Prevention and Credit History Restoration,
  • Improvements in Use of and Consumer Access to Credit Information,
  • Enhancing the Accuracy of Consumer Report Information,
  • Limiting the Use and Sharing of Medical Information in the Financial System,
  • Financial Literacy and Education Improvement,
  • Protecting Employee Misconduct Investigations, and
  • Relation to State Laws.[4]

There are many different companies that this rule applies to: this list includes, but is not limited to finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies; or any other company that advances funds or routinely interacts with consumer credit agencies when performing a service and receiving payment once the work is complete.

Prevent and Mitigate Identity Theft:

  • Act to prevent and mitigate harm when red flags are identified

The red flags fall into five categories:

    • alerts, notifications, or warnings from a consumer reporting agency[6]
    • suspicious documents[6]
    • suspicious identifying information, such as a suspicious address[6]
    • unusual use of – or suspicious activity relating to – a covered account[6]
    • notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts[6]

Red Flag Rule And Identity Theft

As the Red Flag rule widely defines creditors, many businesses (such as utilities)[13] are required to collect personal information (such as SSN and Driver’s License Numbers) that are not needed for business purposes. This policy is contrary to the FTC’s advice to consumers that they should disclose their social security number to others only when absolutely necessary.[14] This aspect of the Red Flag rule has the unintended consequences of increasing the number of business that hold consumers’ Social Security numbers thereby putting consumers at greater risk for identity theft through data theft and increasing costs for businesses who are required to secure this data.

Cyber Security And Data Breach Lawsuits

Why They Matter As of January 1, 2020, California became the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages in amounts ranging from $100-$750 per incident, even in the absence of any actual harm, with the passage of the California Consumer Privacy Act (“CCPA”). The class actions that follow are not likely to be limited to California residents, but will also include non-California residents pursuing claims under common law theories. At CUBIC Alliance, we do not provide legal advice; we want to help you avoid cyber threats and data breaches. Legal questions should be addressed with your attorney. As California goes, most times so does the rest of the US.

A successful defense will depend on the ability of the breached business to establish that it implemented and maintained reasonable security procedures and practices appropriate to the nature of the personal information held. The more prepared a business is to respond to a breach, the better prepared it will be to defend a breach lawsuit. To help our clients prepare for the CCPA, CUBIC Alliance is recommending using their service CUBIC that will provide businesses with the cyber threat facing their firms daily. Using CUBIC will aid in your organizations cyber defense if a breach occurs. CUBIC delivers a daily cyber threat report on threats facing your organization, not threats against every company in the world. The CUBIC support team can help you mitigate these threats before they become breaches.

Although the US Congress has attempted to agree on federal data breach legislation, as of today, there is no national data breach notification law that applies to most companies. There are federal statutes that apply to financial institutions, common carriers, health care providers, educational institutions, and vendors of health records. If your organization falls within one of the aforementioned categories, be sure to understand the requirements of the relevant federal law and any additional requirements imposed by state law, as state law may apply in addition to federal statutes.

While federal data breach notification law is limited in scope, state data breach laws apply whenever a data breach involves records of that state’s residents. All 50 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information.

The following section first summarizes key information about the federal data breach laws. It then explains pertinent state data breach law provisions and highlights important areas in which the state laws diverge. In the event of a breach involving records of consumers who live in multiple states, the laws of those states should be reviewed to ensure that the organization is complying with notification requirements.

Are there any federal laws that apply to your organization?

While there is currently no national data breach notification law, there may be other federal laws that apply to the organization. Federal law most notably implicates organizations in the health care industry, financial institutions, and common carriers.

HIPAA requires health care providers, health plans, healthcare clearinghouses and certain “business associates”

  1. 1. to protect covered health information. Covered entities that fall within HIPAA’s scope must notify each impacted individual within 60 days after discovering a breach.
  2. Notification under HIPAA must be written unless consent for alternative notification has been given. The written notice must include a description of the incident, the type of health information accessed, protective steps impacted individuals should take, any mitigation the organization is undertaking, and contact information for those individuals who wish to learn more.

The Gramm-Leach-Bliley Act (“GLBA”) regulates financial institutions’ use of consumer non-public personal information. In the event of a data breach, if it is found reasonably possible that misuse of compromised personal data will occur, the financial institution should notify its customers.

These federal laws do not supersede state law. Meaning, organizations subject to federal law also must consider the often more stringent state laws at play, although many state laws provide that notification in compliance with HIPAA or the GLBA constitutes proper notice under the state law.

Do the state laws apply to your organization?

Generally, if your organization maintains or transmits Personally Identifiable Information (“PII”) belonging to citizens of a particular state, you should consult the data breach notification law of that state in the event of a breach. Some states maintain that “any entity” is subject to the data breach notification law, while other states limit applicability only to those entities that “conduct business in the state.”

Most of the statutes place the onus on the “owner or licensor” to ensure that affected consumers are notified, however, some states (e.g., Rhode Island and Wisconsin) place that obligation on organizations that simply “maintain” consumer information.

As discussed below, even if the breached organization does not own or license the consumer information, most state laws will require that the organization timely notify the data owner(s) of the breach so that they may fulfill their notification obligations.

The notification laws typically apply only to consumers who are residents of the state in question. However, Hawaii, New Hampshire, and North Carolina’s statutes do not contain this limitation and apply instead to “affected persons,” while Texas’ statute specifically applies to Texas residents and residents of other states. The statutes generally require notification in the event of breaches involving the following information: the consumer’s name in combination with their Social Security number, driver’s license number, account number and access code. Some states go even further and require notification in the event other types of information are accessed or acquired. For example, many states (e.g., Arkansas, Nebraska, Washington and Wisconsin) require notification if biometric data is breached. North

Dakota requires notification if the consumer’s date of birth or mother’s maiden name are exposed, since this data is often associated with password recovery or identity verification on online accounts.

Several states require notification if certain medical or health information is at issue. Alabama, Arizona, Delaware, Maryland, North Carolina, Montana, and Wyoming have expanded their definitions to include taxpayer identification numbers. Washington recently added student ID number and private key (used for online signatures) to its list of protected information. Some states require notification if military ID and passport numbers are impacted.

Increasingly, states have added the requirement for notification in the event of a breach involving a username or email address in combination with a password or security question and answer that would permit access to an online account. The rationale is that many people use the same username and password across multiple online accounts. Having those credentials stolen in one breach could expose individuals to the risk of having other accounts hacked. Some states, like California and Arizona, permit notification to be electronic for such breaches only.

The state statutes provide that a breach of personal information that is publicly available does not give rise to a notification requirement. Similarly, the breach of personal information that is encrypted generally does not give rise to notification obligations because data is assumed to be sufficiently protected from disclosure if accessed in its encrypted form.

Because not every breach of personal information is likely to lead to a risk of harm to the affected person, many states have included a materiality threshold that limits notification only in cases where the breach “compromises confidentiality, integrity, or security.” A handful of states do not contain any such limitation, however, and appear to require notification in the event of any breach, regardless of the risk of harm flowing from the breach.

What can you do to better protect PII that your organizations collect and stores?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off site storage policies should be adopted and followed.
  • Institute cyber threat training for all employees • Review and update your cyber threat and information security policies and procedures.
  • Enroll your company/organization in CUBIC for daily cyber threat notifications are directed at your domains.