From: Derek Rigsby (Derek.Rigsbyidcure.com)
Date: Thu Sep 04 2008 - 13:16:53 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Training new employees is important. They are a strange breed; not just
your first line of defense against fraud but they are also the most likely
person to steal the information that they have legitimate access to. Too
often good employees see problems and potential holes in their organizations
information security policy but do not know how or if they should bring them
up to senior management. Education is necessary to combat fraud and
identity theft but any company will need the buy in from senior management
for any policy to be effective. The Red Flag Rule states that the policy
must be administered by a board of directors, or in the case of smaller
entities that may not have a board of directors, a member of senior
management. Together proper education of all employees and senior
management driving the operational and cultural changes necessary to
implement a formal red flag policy is a step in the right direction.

What is equally important and something I did not notice in the referenced
document is the vendor integrity requirement of the law. A covered entity
must ensure not only its own compliance, but also must consider the
information security posture of any vendor, supplier or third party provider
with whom it exchanges sensitive data or whom has access to sensitive data.
All too often we hear about a loss of data where a third party vendor
mishandled a consumer's PII. It is apparent in today's world that
organizations need to train their employees regularly and have senior
management coordinate the cultural and operational changes but it is equally
important to know that vendors and suppliers are doing the same. If your
organization does everything properly and one vendor or supplier does not
share the same kind of reverence for protecting PII your company is still at
risk.

Derek Rigsby

Vice President

Product Development

idBUSINESS / idCURE

Denver, Colorado

720.278.0756 - Mobile

Derek.RigsbyidCURE.com <https://secureidcure.myhõÿhere.biz/../index.cfm>

-----Original Message-----
From: dataloss-bouncesattrition.org [mailto:dataloss-bouncesattrition.org]
On Behalf Of Michael Hill, CITRMS
Sent: Thursday, September 04, 2008 11:03 AM
To: Henry Brown; datalossattrition.org
Subject: Re: [Dataloss] fringe Federal law and ID theft prevention

I want to add one thing to this very informative article from Jones Day

written by Kevin Sykes that I believe is an important part of the

administering of the "Identity Theft Prevention" program under the Red Flag

Rules. As a consultant who has assisted many companies in their ID Theft

program, training their employees on the program and the reality of identity

theft is an absolute must for all businesses. I think its .90(e) in the

rules.

We read article after article on this webboard about data breaches and the

loss of PII and it seems the human element plays a VERY big part. To not

train ALL your employees, I think would be leaving your business open to

even more liability. Yes, even the warehouse personnel as well.

Michael Hill

Certified Identity Theft Risk Management Specialist

404-216-3751

www.idtheft101.net

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]