The government is trying to strengthen id theft protections from entities you and I often entrust with our personal information.
A bit of background: in July of 20002, Congress passed a new law, commonly called the "Sarbanes Oxley Act" (SOX) which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.
The original purpose of the law was to enhance corporate responsibility, financial disclosures and to combat corporate and accounting fraud. One of the law's principle provisions requires all public companies to evaluate, and disclose, the effectiveness of their internal controls.
Originally, these controls covered financial information. But then, as id theft became more and more a problem, the requirement was broadened to include customers' and clients' personal information a company might receive and store.
The goal was to ensure that identity protection was extended not only to a company's own data, but to its customers' also.
Now SOX has been expanded to include the records and materials that might be kept by third party vendors.
Under SOX, companies must perform, or have audits performed by their outside accountants, to confirm that internal safeguards are in place and are effective. Now companies must perform some type of vendor assurance review or audit the controls the vendor has in place to ensure the vendor is not placing data given them when a company outsources various services.
The outsourcing might include a company having a third party provide account management, application processing, background reviews or operating call centers in the name of the company.
The SEC's broadening of the SOX standards to include a company's third party vendors is not the only steps that must be taken to strengthen id theft protections by entities to whom customers and clients entrust personal information.
Recently the SEC, along with the Commodity Futures Trading Commission, adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft.
Called Red Flag regulations, financial institutions and other credit granting entities now must:
- Develop a written program that identifies and detects the relevant warning signs (Red Flags) of identity theft, such as unusual account activity, fraud alerts on a consumer report or attempted use of suspicious account application documents,
- Ensure their program describes appropriate responses that would prevent and mitigate the crime and include a process for updating the program,
- Ensure the program is managed by the Board of Directors or senior employees of the financial institution or creditor,
- Include appropriate staff training and
- Provide for oversight of any (third party) service providers.
All these new rules from the SEC are aimed at prodding the companies we give our personal information to live up to their promises of identity protection. Companies are taking these new rules seriously, which is good for us, and hopefully not so good for the bad guys.