PRIVACY LAWS NOTIFICATION & COMPLIANCE

Privacy Laws Are In Place - Are You in Compliance?

On May 3, 2007, lawmakers began the process of passing the overarching Personal Data Privacy & Security Act and the Notification of Risk to Personal Data Act (which were passed by Senate committee and introduced into the full Senate). This legislation is meant to be a double-fisted punch in the fight against identity theft This legislation specifies directives and increases personal liability associated with breaches to the protection of individually identifying data. Both those failing to protect personal information and any party or parties benefiting from that failure can be prosecuted.

Most industries are subject to very particular laws in respect to personal data protection. All organizations must implement and demonstrate every effort to prevent a data-at-rest information security breach. No matter what type of business or industry, data that is meant to be maintained as private must not be allowed go public due to an obvious neglect. Failure to pre-empt or implement compliance policies could allow a  breach to completely destroy a business. Because a personal information breach can involve tens of thousands of identities, the costs and fines involved are often millions of dollars.

Gramm-Leach-Bliley Act Safeguards Rule
The GLBA Safeguards Rule requires any financial institutions to implement policies and procedures to maintain the security and confidentiality of nonpublic personal information. A financial institution is defined as a business significantly engaged in providing financial services or products for personal, family, or household use. It applies to check-cashing and payday loan services companies, mortgage brokers, non-bank lenders, personal property and real estate appraisers, professional tax preparers, credit reporting agencies, ATM operators, debt collectors, financial advisors, insurance agents, agencies and brokers, and a variety of other businesses that fit the definition.

Health Insurance Portability and Accountability Act
HIPAA rules apply to any individual or organization that collects or retains protected health information in paper or electronic form. It also requires all businesses with small self-insured or fully-insured health plans to maintain the confidentiality, integrity, and security of employee health information.

Nearly 10 million people in the United States are victims of identity theft each year. As the damages caused by identity theft grow, so, too, have enforcement actions. The Federal Trade Commission has brought more than a dozen security cases against household names, like Microsoft, DSW Shoe Warehouse, BJ’s Wholesale Club and Choicepoint, for failing to take reasonable steps to protect sensitive consumer information.

Perhaps the most well known enforcement action involved Choicepoint. The Federal Trade Commission obtained $10 million in civil penalties – the highest civil penalty ever levied in a consumer protection case – with $5 million in consumer redress for identity theft victims and significant injunctive provisions that require Choicepoint to implement a variety of new data security measures.

Who Is At Risk?

Any company with responsibility for storing the personal data of customers and employees may be at risk. FACTA requires Nonpublic Information to be properly destroyed and/or protected. If a data breach occurs, the business owners and management are held responsible.

Businesses must anticipate legal liability for identity theft incidents and data breaches of their systems. Most liability insurance products  for business exclude damages resulting from identity theft.

Affirmative Defense: Are you off the hook if your business is compliant to federal/state privacy and identity theft laws, like FACTA, HIPAA, and the Gramm-Leach-Bliley Act, even if identity theft still occurs? Not so, says the FTC. Your affirmative defense solution must be strong enough to defend you in a lawsuit. Showing written proof of your due diligence to comply to the laws helps mitigate your liability. 

Data Breach Action Plan
The components of a security program are thoroughly defined and mandated by the FTC. In brief, they include
(1) Designation of an Information Security Officer
(2) Identification of internal and external risks,
(3) Development and implementation of a written policy to protect Non-Public Information
(4) Mandatory employee trainings for prevention, detection, and response to attacks, intrusions, and system failures
(5) Post breach identity theft protection and restoration coverage

What Can Direct Defender Do For My Company? A step by step Affirmative Identity Theft Prevention & Privacy Governance program    Identity Fraud Monitoring of all employees   Complete Identity Theft Recovery Plan   Data Breach Action Plan and notification of victims and agencies concerned  OECD Fair Information Principles, including an easy to follow Privacy Assessment   A step-by-step checklist to easily implement a preemptive privacy governance program.  Security Training Presentation for Your Employees & Custom Training Handouts A Complete Identity Theft Affirmative Action Plan 1.Specialized Steps To Regulatory Compliance Coverage of the latest technical, legal and regulatory data privacy issues Policies covering all the Fair Information Principles from the O.E.C.D.Organisation for Economic Co-operation and Development  Easy To Implement Guidelines  FACTA, HIPAA, Gramm-Leach-Bliley Act (GLBA), PIPEDA,  US CAN-SPAM Act, and many others. Easy to follow data protection requirements  Complete plan for building and maintaining a privacy program that will keep you compliant. Checklists, forms and training make this an easy to follow plan. 2. Affirmative identity theft prevention with privacy checklists and all paperwork Steps to prepare and assign a security officer in your organization  A complete privacy officer's checklist to implement and manage the  requirements of privacy management. A complete sample external web site privacy policy with easy customization tips and advice. Steps for identifying, documenting and protecting Personally Identifiable Information (PII). Complete Data Breach Rapid Response Plan Access Control Policy Physical Security Policy Business Associate Policy Risk Assessment Policy Risk Management Policy Incident Management Policy Contingency Planning Policy Security Officer Policy Discipline Policy Security Plan Audit Policy Encryption Policy Security Plan Corrective Action Policy Health Plan Data Security Policy Security Plan Review Policy Malware Policy Training and Awareness Policy Business Associate Security Incident Policy 3. Data Breach Action Plan  In the event of a  data breach, Direct Defender mails all require breach notification letters to the data breach victims. This is a critical element and requires a delicate psychology in order to alleviate fear and to instill confidence. This avoids loss of customers and class action lawsuits. Direct Defender assists the Corporation in properly reporting the data breach to the appropriate authorities. Complete Data Breach Rapid Response Plan - Limits Liability & Damage Direct Defender fields all phone calls from concerned data breach victims. All Breach victims get no cost access to “Credit Monitoring Assist TM” Automated assistance with obtaining and monitoring their Federally mandated free credit reports. Provide Toll Free access to one of Direct Defender’s expert ID Recovery Specialists. Fraud alerts placed with all credit bureaus. Direct Defender will recover any breach customer that becomes a victim of Identity Theft.  Immediate electronic notifications sent to all required Federal, State and Private agencies  Help the breach victim obtain a “free copy” of their credit reports. Helps to minimize the effect of the data breach on the corporation. Daily 3 bureau credit monitoring on any breached customer who becomes a victim of Identity Theft. Identity Theft Alerts & Complete identity Recovery Services Direct Defender uses a powerful proprietary software and database analysis technology. Our powerful software system  scours billions of private and public database sources for identity theft activity. Our system can identify and alert your company to an unusually high degree of identity theft activity among your employees. This can be an early warning that you may have experienced a data breach.  Identity Theft is a pervasive, insidious crime that inflicts tremendous financial and emotional damage on its victims. Identity Theft is the fastest growing crime in America, and there are no signs of a slow down. Recent studies determined that 9.9 million Americans were Identity Theft victims in 2004 and that victims typically spend 500 hours and $3,000 to restore their identity and their good name. A growing number of corporate data breaches is responsible for many Identity Thefts. Since January 2005, over 308 reported breaches possibly put over 113.6 million Americans at risk. Direct Defender’s service is an automated fully managed method of dealing with Identity Theft that actually repairs the damage and restores the victim's good name and credit to its pre-Identity Theft state. Direct Defender's technology provides affordable and effective protection to companies in the event of a corporate data breach. This new plan is aimed at protecting the covered company and it’scustomers, alerting affected customers in the event of a breach, providing a single site 800 number for breached customers to contact, assisting the company in required agency notifications, and recovering any resulting Identity Theft. Direct Defender provides fully Managed Recovery of any breached customer who becomes an Identity Theft Victim at no additional cost. This will save your company thousands of dollars per person affected by the data breach. Contact Direct Defender  Privacy Compliance 715 NE 19th Place Suite 45 Cape Coral, FL 33909 headquarters@directdefender.com (800) 797-5753