There was an article in Sunday’s Arizona Republic regarding to the Federal Trade Commission’s requirements for any company handling sensitive customer information. Technically this law went into effect back in January 2008, but it was enforced due to lack of awareness. Now that the FTC has completed their education and awareness program, and enforcement will begin August 1st of this year, it’s time to begin discussing these guidelines. This means that any business that collects, stores, or uses sensitive customer data needs a plan to protect data use and storage.

The FTC requirements are presented in two broad categories. The first part spells out what companies can do to detect and spot fraud associated with identity theft. The Red Flags Rule spells out the four required components.

  • Document specific ‘red flags’ that indicate fraud for your type of business.
  • Document how your organization will go about detecting those indicators.
  • Develop guidelines on how to respond when they are encountered.
  • Periodically review the process and indicators for effectiveness and changes to business processes.

The second part is about protecting personal information and safeguarding customer data. It’s pretty straightforward: know what you have, keep only what you need, protect it, periodically dispose of data you don’t need, and have a plan in case of breach. And, of course, document these points so the FTC knows you are in compliance. None of this is really ground-breaking, but it is a solid generalized approach that will at least get businesses thinking about the problem. It’s also broadly applied to all companies, which is a big change from what we have today.

After reviewing the overall program, there are several things I like about the way the FTC has handled this effort. It was smart to cover not just data theft, but how to spot fraudulent activity as part of normal business operations. I like that the recommendations are flexible, and the FTC did not mandate products or process, only that you document. I like the fact that they were pretty clear on who this applied to and who it does not. I like the way that reducing the amount of sensitive data retention is a shown as a natural way to simplify requirements for many companies. Finally, providing simple educational materials, such as this simplified training video, is a great way to get companies jump started, and gives them some material to train their own people.

Most organizations are going to be besieged by vendors with products that ‘solve’ this problem, and to them I can only say ‘Caveat emptor’. What I am most interested in is the fraud detection side, both what the red flags are for various business verticals, and how and where they detect. I say that for several reasons, but specifically because the people who know how to detect fraud within the organization are going to have a hard time putting it into a checklist and training others. For example, most accountants I know still use Microsoft Excel to detect fraud on balance sheets! Basically they import the balance sheet and run a bunch of macros to see if there is anything ‘hinky’ going on. There is no science to it, but practical experience tells them when something is wrong. Hopefully we will see people share their experiences and checklists with the community at large.

I think this is a good basic step forward to protect customers and make companies aware of their custodial responsibility to protect customer data.