August marks the month for businesses to implement identity theft programs to comply with the Fair & Accurate Credit Transactions Act of 2003. Specifically, Title 16 of the Code of Federal Regulations (CFR) Part 681 requires all financial institutions and creditors to establish a written program to detect, prevent and mitigate identity theft. “Identity theft” is defined as a fraud committed or attempted using the identifying information of another person without authority (see 16 CFR 603.2(a)). The FTC has advised that high risk entities should have more elaborate programs, while low risk entities could have streamlined and less complex programs. In creating their programs, all entities are encouraged to give due regard to specific guidelines provided in an appendix to Part 681.
In addition to their own programs, businesses should not neglect their vendors and suppliers who may have access to “identifying information” (i.e., any name or number that may be used, alone or in conjunction with any other information, to identify a specific person). Those vendors and suppliers should also have appropriate identity theft programs in place. To ensure compliance, smart businesses are now requiring such entities to warrant they will have a compliant program in place at all times during their relationship. A basic warranty should include the following:
With regard to the data received from Company and its customers hereunder, Vendor shall establish and maintain an identity theft program compliant with Title 16 of the Code of Federal Regulations (“CFR”) Part 681 (Identity Theft Rules), including giving due consideration to the Guidelines provided in Appendix A thereto. Among other things, such program shall be designed to identify, detect, and respond to Red Flags, as defined in Section 681.1. Vendor shall promptly notify Company in writing if it becomes aware of any attempted or successful identity theft, as defined in 16 CFR 603.2(a), in connection with its performance of this Agreement.
