Houston Identity Theft Theft Ring Arrested After Ordering Smart Phones

The Houston Examiner reported the arrest of members of an identity theft ring that used the stolen identities of Sprint customers to order fraudulent replacement smart phones, which they resold:

"Customers are routinely asked for their secret PIN numbers when they walk into Sprint stores, and federal agents say employees of the store were giving that information to thieves who were using it to get replacement phones that could be sold online."

What I found interesting about this case were the three points where data security failed. Better security at any one of these points could have stopped this theft ring before it started.

First, insider identity theft by employee facilitated the thefts. Using the stolen identities, the thieves ordered replacement smart phones from the insurance company, Asurion, used by Sprint mobile customers. A data breach like this highlights the need for a mobile service provider to implement a Red Flags program to identify and address problem data-security areas.

Second, the insurance company didn't seem to notice the rise in replacement phones within a specific geographic area:

"After filing the insurance claims, Secret Service agents say brand new phones were mailed out to hotels throughout the Houston area."

Most banks regularly flag purchases outside a consumer's normal credit card purchase patterns. Mobile service providers and mobile device insurers could and should do the same; especially where insurance claims include a different delivery address than the customers' home address. The new overage alert features by mobile service providers is a good first step in this direction, but it shouldn't require prodding by the FCC.

Third, several Houston area hotels seem to routinely accept and deliver packages to people who routinely made reservations but never checked in. This is like airlines accepting luggage for passengers who make reservations but never buy a ticket. Airlines have identified this security risk, and so too should hotels. Accept packages if you want, but deliver them only to customers have they have registered and checked in; or make it a perk only for loyalty program members.

FTC Postpones Red Flag Enforcement Date (Again)

In a May 28, 2010 press release, the U.S. Federal Trade Commission (FTC) announced another date change for enforcement of "Red Flag" rules. The prevailing reason for the delay has been that businesses, especially small businesses, need time to adjust to the new regulations.

The enforcement date has changed so many times, I have difficulty keeping up. The original enforcement date was November 1, 2008. Then it was August, 2009. In November 2009, the FTC moved the enforcement date to June 1, 2010. The new enforcement date is December 31, 2010 which might as well be sometime in 2011.

The Fair and Accurate Credit Transactions Act (often called FACTA) passed by the U.S. Congress in 2003 required the FTC to develop regulations mandating that companies that are "creditors" and/or maintain "covered accounts" address the risks from identity theft by developing a written plan to identify, detect, and respond to patterns, practices or activities -- known as "Red Flags" -- that typically indicate identity theft; and then implement that plan by the enforcement date set by the FTC. The benefit for consumers is that companies, in theory, will better protect our sensitive personal and financial information.

In theory, a consumer should be able to walk into a firm subject to the law and ask to see a copy of that company's Red Flag data security plan. The U.S. Congress is still debating which firms and industries are subject to the Red Flag regulations, and which aren't. Several industries, such as accountants, lawyers, and doctors have petitioned Congress for exclusion.

In my opinion, the reason for the multiple date changes is based more on politics as various industries petition Congress for exclusion. Everyone wants stronger data security laws, but only for it to apply to everyone else.

Since the FACTA law was passed, some states, like Massachusetts, have enacted stronger identity theft prevent laws on their own.

FTC Delays "Red Flag" Enforcement Again

Once again, at the request of members of Congress, the Federal Trade Commission (FTC) has delayed the enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors.

The prior enforcement date had been November 1, 2009. In May of 2009, the FTC changed the enforcement date from May 1, 2009 to August 1, 2009.

As part of the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditor companies to address identity theft. The resulting regulations require these companies to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- commonly called "Red Flags" -- that could indicate identity theft.

The FTC regulations are pretty specific about the types of companies covered by these new identity-theft regulations:

"The Rule defines a “financial institution” as: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a “transaction account” belonging to a consumer. “Transaction accounts” are deposits or accounts from which a consumer can make payments or transfers to third parties. Banks, federally chartered credit unions, and savings and loans come under the jurisdiction of the federal bank regulatory agencies or the National Credit Union Administration and should check with them for guidance. The FTC’s jurisdiction extends to state chartered credit unions and other institutions that hold transaction accounts – for example, mutual funds that offer accounts with check writing or debit card privileges or other businesses that offer accounts where consumers can make payments or transfers to third parties. Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing... In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector..."

In April of 2009, the FTC launched a Web site to help small and medium-sized businesses comply with the new Red Flag regulations. A U.S. District recently ruled that attorneys are exempt form the new regulations. A different set of regulations apply to hospitals and health care firms.

During the coming weeks and months I will explore the Red Flag rules more closely since the new enforcement data is an opportunity for consumers to demand more from companies that store and user their sensitive personal information. The opportunity is for consumers to be able to ask a company they are considering doing business with for a written statement of how that company protects their sensitive personal data.

Will the June 2010 date hold? Who knows. The FTC's pattern of delays suggests probably not. As this issue moves forward, the I've Been Mugged blog will report about it.

FTC Grants Another Delay in Red Flag Rule Enforcement

Last week, the FTC released this press release:

"The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs... The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services.”

This was the second delay. In October 2008, the FTC granted a six-month delay which moved the deadline to the prior date of May 1, 2009. Now, the deadline is August 1, 2009. From Network World:

"The Red Flag program is one of the major ways the government plans to fight the growing identity theft blight. Banks and other financial institutions typically account for about half of the identity theft complaints filed with the FTC... That's one of the reasons why under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft."

I hope that there are no more delays. The Red Flag Rules are one tool to help protect consumers' sensitive personal data. And, identity thieves aren't delaying their activities.

FTC Launches Red Flag Rules Web Site

From the Identity theft and Business blog:

"After a year or more of confusion on the part of businesses and their counsel the Federal Trade Commission (FTC) has launched a Web site to help businesses and non-profits to come into compliance with the Red Flags Rules. The FTC will begin enforcing the rules on May 1. The site offers articles and guides for helping create identity theft prevention programs, a key requirement of the rules. The site also details which entities must adhere to the rules, which were created to reduce instances of identity theft. The FTC has also published a very good guide for businesses who must determine if they have “covered accounts” and how to go forward with their program. I have added a permanent link to the FTC Red Flags site to my links for your convenience."

This web site is another reason why companies have no excuse for complying with the Red Flag Rules and its May 1 deadline to better protect consumers' sensitive personal data.

The Red Flag Rules Deadline Fast Approaches

I've written about this before, but it is so important it needs to be emphasized. There's a really good post at the Ephemeral Law blog about the fast-approach Red Flag Rules deadline (links added):

"The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA. The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008."

If you are a small business owner, this affects you. If you are a consumer, this compliance is important given the push to digitize patients' medical records. If you are a consumer, it's good to know about the Red Flag Rules, so you shop at retail businesses that properly protect the sensitive personal data they use. To learn more, follow all of the above links.

New 'Red Flag' Rules Require Creditors To Improve Identity Theft Programs

The Fair and Accurate Credit Transactions Act of 2003 required the U.S. Federal Trade Commission to develop new rules about identity theft for financial institutions and companies that handle consumer financial accounts:

"The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:"

"Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;"

"Detect red flags that have been incorporated into the Program;"

"Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and"

"Ensure the Program is updated periodically to reflect changes in risks from identity theft."

In his Identity theft and Business blog, John Taylor emphasized the types of companies which must comply to the new "red flag" rules:

"Every covered business, non-profit, municipality, county, financial institution, auto dealership, mortgage brokerage, utility company, insurance agency, medical office, or any organization that accepts regular payment accounts for services or goods..."

John also described well the consequences of non-compliance:

"From this point forward not having such a plan in place could possibly result in individual laws suits, class actions, fines, audits, and possibly federal and state prosecution of all officers if any personally identifiable information (PII), is found to have been lost or stolen from the organization."

Affected companies were to have their programs in place and ready by November 1, 2008. Last week, the FTC announced that the deadline for compliance was delayed six months to May 1, 2009. In its news release, the FTC listed the following reasons for the delayed deadline:

"The Commission staff launched outreach efforts last year to explain the Rule to the many different types of entities that are covered by the Rule. The agency published a general alert on what the Rule requires, and, in particular, an explanation of what types of entities are covered by the Rule. During the course of these efforts, Commission staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule. These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule’s requirements too late to be able to come into compliance by November 1, 2008. The Commission’s delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.