The Golden Rule of Information Protection and ID Theft Red Flags Compliance
When I hear information security professionals say they're overwhelmed with the amount of work that is having to be done to comply with such regulatory requirements, I think of what my grandmother always used to tell us when we grandkids were squabbling over something or tormenting our siblings - "Treat others as you would like to be treated; that's the Golden Rule."
I want to tell those security professionals whining out there that it is hard work to protect all that personally identifiable information (PII) at their institution - think how you'd want your PII protected?
Face it -- your institution may be considered ground zero for an identity thief.
This should be the Golden Rule of Information Protection and what makes it personal to you when it comes to meeting ID Theft Red Flags compliance. How would you feel if your customer account information was taken? What if the institution you did your banking at didn't fully implement an ID Theft Prevention Program, and your information along with other customers was taken and used for identity theft? Wouldn't you expect that your banking institution would take the most stringent measures in authenticating you are really you and not somebody who is pretending to be you? See the 26 Red Flags and put yourself in each scenario and think what you would lose if it happened to you.
Think how you'd feel if your savings account was drained and you had to explain to angry retailers or credit card companies that the thousands of dollars charged on a credit card with your name on it were not made by you, but a criminal who has stolen your identity.
Face it -- your institution may be considered ground zero for an identity thief. If you think that your institution and the rest of the financial services industry is getting the fuzzy end of the lollipop, take a look at what other entities are doing as part of the marching orders that came from The President's Identity Theft Task Force Report. Just skim through this 70-page report and you'll see that your institution isn't the only entity doing significant work in combating this heinous, life destroying and highly personal crime.
And yes, I've heard other institutions that aren't state-chartered credit unions call for a push-back of their compliance date. (For those of you who missed last week's news, the FTC pushed back the enforcement date for state-chartered credit unions until May 1, 2009.) Read between the lines -- that doesn't mean those state-chartered credit unions won't be liable, just that the FTC won't enforce the rule. If identity theft occurs at a state-chartered credit union beginning November 1, they would be liable and answerable to the FTC.
For the rest in the banking world, there are only a few days left until the November 1 compliance date rolls around, and if you're not ready to meet your examiner with a program, I hope my pep talk gets you back on track to meet and pass a regulator's examination. Remember to think it's your information you're protecting, and apply the Golden Rule of Information Protection.