• United States



Red Flag Rules and Vendor Relationships

Jul 24, 20092 mins
Identity Management Solutions

August marks the month for businesses to implement identity theft programs to comply with the Fair & Accurate Credit Transactions Act of 2003.  Specifically, Title 16 of the Code of Federal Regulations (CFR) Part 681 requires all financial institutions and creditors to establish a written program to detect, prevent and mitigate identity theft.  “Identity theft” is defined as a fraud committed or attempted using the identifying information of another person without authority (see 16 CFR 603.2(a)).  The FTC has advised that high risk entities should have more elaborate programs, while low risk entities could have streamlined and less complex programs.  In creating their programs, all entities are encouraged to give due regard to specific guidelines provided in an appendix to Part 681.

In addition to their own programs, businesses should not neglect their vendors and suppliers who may have access to “identifying information” (i.e., any name or number that may be used, alone or in conjunction with any other information, to identify a specific person).  Those vendors and suppliers should also have appropriate identity theft programs in place.  To ensure compliance, smart businesses are now requiring such entities to warrant they will have a compliant program in place at all times during their relationship.  A basic warranty should include the following:

With regard to the data received from Company and its customers hereunder, Vendor shall establish and maintain an identity theft program compliant with Title 16 of the Code of Federal Regulations (“CFR”) Part 681 (Identity Theft Rules), including giving due consideration to the Guidelines provided in Appendix A thereto.  Among other things, such program shall be designed to identify, detect, and respond to Red Flags, as defined in Section 681.1.  Vendor shall promptly notify Company in writing if it becomes aware of any attempted or successful identity theft, as defined in 16 CFR 603.2(a),  in connection with its performance of this Agreement.

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author