FACT Sections 114 and 315 - Identity Theft Red Flag Regulations
FACT Sections 114 and 315 - Identity Theft Red Flag Regulations - The Federal Trade Commission and the federal financial institution regulatory agencies set the rules on identity theft "red flags" and address discrepancies. The rules CIOs need to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT) for identity theft protection are clearly defined.
The rules require each enterprise that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:
- Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks from identity theft.
Other government agencies have issued guidelines to assist CIOs and companies in developing and implementing a Program, including a supplement that provides examples of red flags.
- Growth and Detection of Identity Theft
- How Information Is Illegally Obtained and Used
- Assisting Victims of Identity Theft
- Basics of Prevention
- Information Security Requirements
- Customer Identification Program Requirements
- Consumer Privacy and the Fair Credit Reporting Act
- Related Policies and Procedures
- Corporate Originators of ACH Transactions
- Credit Card Fraud
- Fraud Involving ATM and Debit Cards
The regulation also requires credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.
That along Special Publication 800-60 (Volume 1, Volume 2), Guide for Mapping Types of Information and Information Systems to Security Categories, assists Federal agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199. Special Publication 800-60 contains two volumes. Volume I provides guidelines for identifying impact levels by information type and suggests impact levels for administrative and support information common to multiple agencies. Volume II includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific, mission-related information.
Janco's Security Manual Template meets the compliance requirements of FIPS 199 and even provides an electronic form that can be utilized in the assessment process.
The Security Manual Template can be acquired separately or as part of the Business Continuity and Security Bundle.
Order the FIPS 199 Compliant Security Manual or the Business Continuity / Security Bundle
We have just the download you need to create a world class plan and assure you leave no stone unturned. With these Templates we walk you through the entire process, providing all the tools you need along the way. As an added benefit you can purchase an update service which keeps these templates abreast of the latest legislated and mandated requirements. All of our documents have been updated to comply with PCI-DSS, Sarbanes-Oxley, HIPAA, the ISO 27000 (formerly ISO 17799) series - 27001 & 27002, and PCI-DSS.
Both of these FIPS 199 compliant products come with a detail security audit program.