Despite Red Flags exemption, FACTA still looms

2009 04 22 10 08 27 976 Red Flag 70

The Red Flag Program Clarification Act of 2010, passed and signed into law in December 2010, clarified for the Federal Trade Commission (FTC) that Congress did not intend for dentists and other small healthcare providers to be deemed a creditor under the Red Flags Rule.

However, while fewer organizations will be subject to the Red Flags Rule as a result, the new act does not exempt any business or organization from complying with the other provisions of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.

How do the FACTA regulations designed to protect the personal identifiable information of your employees affect your practice? FACTA identifies "employers" as the first category to which the regulations apply. The law provides that any employer whose action or inaction results in the loss of personally identifiable employee information is subject to a public fine and may also be sued in civil court for actual and, in some cases, punitive damages for losing that employee information.

The FTC may "prosecute any inquiry necessary to its duties in any part of the U.S." It has investigative and law enforcement authority, which includes contempt of court actions or failure to comply with an investigative demand. Once an investigation begins, it is too late to begin addressing compliance requirements. Ignorance of these laws is not a defense in civil suits, government investigations, or fines.

All organizations/employers must determine which FACTA rules apply to them. Here are some key FACTA compliance considerations of which dental practitioners should be aware:

  • The FTC construes the Gramm-Leach-Bliley (GLB) Act's Safeguards Rule as the minimum standard for FACTA. Betsy Broder, assistant director of the FTC Privacy and Identity Protection Division, was quoted in the March 2006 American Bar Association Journal as saying that all businesses should look to GLB for guidance on how to protect personally identifiable information. "We will act against businesses that fail to protect their customer [employee] data," she said.
  • With this in mind, at the very minimum, organizations need to do the following:
    • Designate an employee to coordinate and be responsible for the office's security program
    • Perform a risk assessment
    • Adopt a written privacy policy
    • Train employees on that policy

  • The FTC further interprets FACTA to require every organization to have a mitigation program in place prior to a data breach. Having a program in place to protect your employees in the event their personal identification is stolen in the work place is part of a professional mitigation program. This also can reduce the employer's exposure to litigation and possibly hefty state and federal fines.
  • Every organization and person who uses a credit report or background report must follow the FACTA disposal rule. This rule requires you to follow certain established procedures to dispose of such information.
  • The FACTA Address Discrepancy Rule requires organizations to have established written policies regarding the procedures to follow when an address discrepancy is reported on an applicant. This law obligates every organization/employer that regularly verifies an applicant's information to follow the procedure outlined in the law.

Click here for more information about FACTA.

Karen Johnson and Julia Baker are consultants with US Identity Theft Solutions. You can reach them at www.usidtsolutions.com.

Page 1 of 346
Next Page