IDENTITY THEFT

“The fastest growing white-collar crime in America”According to the FBI

Employer Compliance

Royce McCoy, CITRMS Identity Theft Risk

Management Group, LLC

The Institute of Fraud Risk Management is the nation’s only professional certification program (CITRMS) specifically developed to train and equip professionals to understand and address Identity Theft and related fraud issues.

The Problem of Identity Theft♦ What identity theft is in reality♦ Laws related to identity theft that affect

employers, executives and business owners

The Answer to Problem♦ Implement reasonable steps to create an

Affirmative Defense that will lower your risk and minimize your liability.

Overview….

Identity Theft is spiraling out of control!

Over 255 million American’s Identities have been reported lost or stolen since Jan. 2005. – PrivacyRights.org

Over 400,000 Dead People opened Bank accounts last year– AARP

The revenue from trafficking financial data has surpassed that of drug trafficking. – Secret Service March 2007

Every Three seconds (27,000 times per day) someone becomes a victim of Identity Theft. – USA TODAY

Drivers License

Medical Financial

Identity theft is not just about credit cards, it’s a legal issue !Over 70% of the time access to an attorney will be critical to

resolve these issues.

Social Security

Criminal

Five Common Types of Identity TheftLess than

28% 10 M sold every 6 weeks

WSJ Fastest growing IDT

Unofficial National ID

Wrongful Arrest

Let’s look at a video clipFrom CNN showing how

Identity Theft affects victims

Identity Theft is in the

News….

57% of victims had NEW ACCOUNTS opened in their name

62% had warrants issued for their arrest

82% found out through an adverse action

Out of pocket cost averaged $1,865.27 per victim

Victims spent an average of 157.87 hours trying to clean up the mess..

63% could not get their credit reports cleared

22% have their SSN tied to someone else’s

19% had their fraud alerts ignored *(Identity Theft Resource Center2007)

Latest Facts about Identity Theft*

Correcting the victims’ records is so overwhelming it is imperative for Employers to protect the data.

“Once the credit systems accept bad data it can be next to impossible to clear.”

USA Today June 5, 2007

“Medical identity theft can impair your health and finances… and detecting this isn’t easy… and remedying the damages can be difficult.”

Wall Street Journal October 11, 2007

Where the Law Becomes Logical

“A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.”

Douglas Hottle, Meyer, Unkovic & Scott, “Workplace Identity Theft: How to Curb an HR Headache”BLR: Business and Legal Reports, September 19, 2006

♦ FACTA (The Fair and Accurate Credit Transaction Act)

♦ The “Red Flag” rules

♦ Individual State Laws (44 States have adopted their own additional ID Theft Laws)

Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

Important Legislation

Identity Theft Resource Center, of the approximately 44 million Americans who have been the victims of identity theft at some point, each spent an average of 600 hours and $1,495 getting their finances straightened out. And, that doesn’t include attorney’s fees.

Identity Theft Resource Center, of the approximately 44 million Americans who have been the victims of identity theft at some point, each spent an average of 600 hours and $1,495 getting their finances straightened out. And, that doesn’t include attorney’s fees.

In 2004, identity theft cost financial institutions and businesses an estimated $52.6 billion,

In 2004, identity theft cost financial institutions and businesses an estimated $52.6 billion,

An Overview of FACTA:• FACTA was signed by President Bush on December 4, 2003.• The provisions of the law have been phase in over the past few years, and all are now in effect.

An Overview of FACTA:• FACTA was signed by President Bush on December 4, 2003.• The provisions of the law have been phase in over the past few years, and all are now in effect.

However, these new provisions also create serious new responsibilities – and potential liabilities – for businesses nationwide. Simply put, if data aiding an identity theft originates from a security breach at your company, you could be sued, fined, or become a defendant in a class-action lawsuit by affected employees whose personal information has somehow gotten out.

However, these new provisions also create serious new responsibilities – and potential liabilities – for businesses nationwide. Simply put, if data aiding an identity theft originates from a security breach at your company, you could be sued, fined, or become a defendant in a class-action lawsuit by affected employees whose personal information has somehow gotten out.

•Employers – including individuals • Insurers • Lenders• Mortgage brokers• Landlords• Automobile dealers• Attorneys• Debt collectors• Private investigators• Tax preparers• Financial Advisors and Credit Counseling Svc• Investment or financial advisory Services• Financial management and tax planning etc….

•Employers – including individuals • Insurers • Lenders• Mortgage brokers• Landlords• Automobile dealers• Attorneys• Debt collectors• Private investigators• Tax preparers• Financial Advisors and Credit Counseling Svc• Investment or financial advisory Services• Financial management and tax planning etc….

This law applies to any business, regardless of size, that collects personal information or consumer reports about customers or employees to make decisions within their business (including names, credit card numbers, birthdates, home addresses and more).

This law applies to any business, regardless of size, that collects personal information or consumer reports about customers or employees to make decisions within their business (including names, credit card numbers, birthdates, home addresses and more).

Who Does FACTA Affect ?

• Civil liability. An employee could be entitled to recover actual lossses sustained if their identity is stolen from an employer. Or, an employer could be liable for statutory damages for up to $1,000 per employee.• Class action lawsuits. If large numbers of employees are impacted, they may be able to bring class action suits and obtain punitive damages from employers. • Federal fines. The federal government could fine a covered business up to $2,500 for each violation.

• Civil liability. An employee could be entitled to recover actual lossses sustained if their identity is stolen from an employer. Or, an employer could be liable for statutory damages for up to $1,000 per employee.• Class action lawsuits. If large numbers of employees are impacted, they may be able to bring class action suits and obtain punitive damages from employers. • Federal fines. The federal government could fine a covered business up to $2,500 for each violation.

Penalties

……all businesses must be able to show that they have a security plan in place.

……all businesses must be able to show that they have a security plan in place.

In order to comply with FACTA, Betsy Broder, the Assistant Director of that FTC division, was quoted in the March 2006 American Bar Association Journal saying that means businesses need to have a written plan describing how customer data will be safeguarded and a staff member or company officer designated to be responsible for implementing that plan.

Broder went on to say, “We’re not looking for a perfect system. But we need to see that you’ve taken responsible steps to protect your customers’ information.”

In order to comply with FACTA, Betsy Broder, the Assistant Director of that FTC division, was quoted in the March 2006 American Bar Association Journal saying that means businesses need to have a written plan describing how customer data will be safeguarded and a staff member or company officer designated to be responsible for implementing that plan.

Broder went on to say, “We’re not looking for a perfect system. But we need to see that you’ve taken responsible steps to protect your customers’ information.”

Now What? It’s Time to Develop a Plan!

According to the FTC, a “reasonable” plan to safeguard personal information includes:

According to the FTC, a “reasonable” plan to safeguard personal information includes:

Designate an employee (or employees) to coordinate and be responsible for the security program.

Designate an employee (or employees) to coordinate and be responsible for the security program.

….include employee training…. ….include employee training….

Continually evaluating and adjusting the security plan…..

Continually evaluating and adjusting the security plan…..

Create a mitigation plan…..This mitigation plan should kick in when there is a privacy or security breach and there is a need to “repair it” immediately in the eyes of customers, government regulators, and management.

Create a mitigation plan…..This mitigation plan should kick in when there is a privacy or security breach and there is a need to “repair it” immediately in the eyes of customers, government regulators, and management.

A sensible and effective program will go a long way towards reducing the risk of federal government enforcement, even if the security policy should fail in a particular situation and a security breach results.

A sensible and effective program will go a long way towards reducing the risk of federal government enforcement, even if the security policy should fail in a particular situation and a security breach results.

Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business Education

New ‘Red Flag’ Requirements for Financial Institutionsand Creditors will Help Fight Identity Theft

……requiring financial institutions and creditors to develop and implement written identity theft prevention programs,

as part of the Fair and Accurate Credit Transactions (FACTA) of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities — known as “red flags” — that could indicate identity theft.

……requiring financial institutions and creditors to develop and implement written identity theft prevention programs,

as part of the Fair and Accurate Credit Transactions (FACTA) of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities — known as “red flags” — that could indicate identity theft.

…a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers.

…a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers.

PG. 1

Financial institutions and creditors soon will be required to implement a program to detect, prevent, and mitigate instances of identity theft.Financial institutions and creditors soon will be required to implement a program to detect, prevent, and mitigate instances of identity theft.

Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business Education

New ‘Red Flag’ Requirements for Financial Institutionsand Creditors will Help Fight Identity Theft

PG. 2

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and

government entities “defer payment” for goods or services, they, too, are to be considered creditors.

Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and

government entities “defer payment” for goods or services, they, too, are to be considered creditors.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. A covered account is also an account for which there is a foreseeable risk of identity theft.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. A covered account is also an account for which there is a foreseeable risk of identity theft.

Federal Trade Commission - Bureau of Consumer Protection - Division of Consumer & Business Education

PG. 3

Federal Trade Commission

June 2008

For The Consumer

ftc.gov

1-877-FTC-HELP

Complying with the Red Flag Rules

The program must also describe appropriate responses that would prevent and mitigate the crime…..The program must also describe appropriate responses that would prevent and mitigate the crime…..

The program must be managed by the Board of Directors or senior employeesThe program must be managed by the Board of Directors or senior employees

…include appropriate staff training, and provide for oversight of any service providers.…include appropriate staff training, and provide for oversight of any service providers.

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs — or “red flags” — of identity theft.

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs — or “red flags” — of identity theft.

These rules also provide that covered accounts, creditors and businesses must also ensure their service providers and subcontractors comply and have reasonable policies and procedures in place. The rules state:

♦ Liability follows the data.

♦ A covered entity cannot escape its obligation to comply by outsourcing an activity (payroll, accounting, employee leasing web hosting, customer call center etc.). Businesses must exercise appropriate and effective oversight of service provider arrangements.

♦ Service providers and contractors with whom the covered accounts exchange PII must comply by implementing reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity theft.

Be Sure To Check With Your Attorney On How This Law May Specifically Apply To You

Red Flag Rules

“Create a culture of security by implementing a regular schedule of employee training” (pg 17)

“Make sure training includes employees at satellite offices, temporary help, and seasonal workers.” (pg 17)

“Ask every employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data” (pg 16)

Protecting Personal Informationa Guide For Business

"Many businesses don't realize, that even though the FTC isn't enforcing compliance, it doesn't mean those businesses won't be liable if a data breach or loss of information occurs," (Debra Geister, Director of Fraud Prevention and Compliance Solutions at Lexis-Nexis.)

The key issue is that the law was effective January 1, 2008. The enforcement date begins May 1, 2009.

Red Flag Rules

Red Flag Rules recently became effective in January 2008, and compliance was originally required by November 2008. The FTC’s enforcement of the Rule has been extended to May 1, 2009:

Bank Info Security - ID Theft Red Flags Rule: FTC Extension is no 'Break'Enforcement Delayed for FTC-Governed Institutions; Liability is Not

November 12, 2008

With the workplace being the site of more than half (52%) of all identity thefts, HR executives must stop thinking about data protection as solely an IT responsibility. More education on appropriate handling and protection of information is necessary, among other efforts.

“ID Thefts Prevalent at Work”, Human Resource Executive, April 5, 2007

Identity Theft Prevalent at Work

Risk Management Magazine January 2007

“Many of the corporate risks associated with identity theft can be mitigated by the development and implementation of sound policies, systems and procedures. Others will ultimately become matters for the courts. Those risks that flow from the affected individual, however, must be managed using available tools and products that both support the individual and protect the employer. In the absence of a solid risk management plan for identity theft, the potential losses are nearly unlimited.”

The Cost to Businesses

Employees can take up to 600 hours, mainly during business hours, to restore their identities

If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!

When it comes to cleaning up this mess, Employers spend an average 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim. (CIO Magazine, The Coming Pandemic, M. Fredenberg, 5/15/06)

In 2006 Identity Theft cost financial institutions and businesses estimated $61 billion. (Federal Reserve Bank- Atlanta 09/08)

Law Firms Are Looking for Victims

“Do you suspect that a large corporation or your employer has released your private information (through an accident or otherwise)? If you are one of many thousands whose confidential information was compromised, you may have a viable class action case against that company. Contact an attorney at the national plaintiffs' law firm of Lieff Cabraser to discuss your case. Lieff Cabraser defends Americans harmed by corporate wrongdoing.”

“Instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks -- literally millions at a time.”

Employers must create an

Identity TheftRisk Management

Program to Minimize your Risk

What an Employer must do…..

♦ Set up reasonable steps to protect non-public information (NPI),personally identifiable information (PII).

♦ Help create a ‘Culture of Security’ by implementing a regular schedule of employee training.

♦ Create a potential ‘Affirmative Defense’ for your company.

♦ Help protect employees and customers while potentially decreasing your company exposure and liability.

♦ We can help start the compliance process for the Employer. We will provide templates for the appointment of the security officer , the written ID Theft security plan and other documents to help create a potential Affirmative Defense.

♦ To assist the Employer with compliance issues, we will conduct the training required by law for your employees. We will also explain the different types of ID Theft and show your employees how they can protect themselves if they become a victim and why their and your customers’ personal information must be protected.

♦ We can provide the services at no direct cost to the Employer.

Create an Affirmative Defense

Appointment of Security Compliance Officer

February 1, 2008[insert employee designee]RE: Appointment of Security Compliance OfficerDear [employee]: As part of [Company’s] comprehensive information security program, we are pleased to appoint you as Security Officer. As Security Officer you will be responsible to design, implement and monitor a security program to protect the security, confidentiality and integrity of personal information collected from and about our employees, consumers and vendors. As Security Officer you will help [Company] identify material internal and external risks to the security of personal information; design and implement reasonable safeguards to control the risks identified in the risk assessment; evaluate and adjust the program in light of testing results; and continuous monitoring of the program and procedures. As Security Officer, [Company] will provide you access to training courses and materials on a continuing basis. Thank you for your commitment to [Company]. Sincerely, [Company] Chief Executive Officer

To All Employees [Company] RE: MANDATORY EMPLOYEE MEETING

PRIVACY AND SECURITY PROGRAM AND IDENTITY THEFT TRAINING [insert date, time and location] On [insert date], [company] will host a mandatory employee meeting and training session on identity theft and privacy compliance. Additionally, as an employee, you will be provided an opportunity to purchase an identity theft product. As you know, [company] makes every effort to comply with all Federal Trade Commission guidelines to protect personal employee, customer and vendor information. As part of our security program, we want to train all employees on concrete steps to help reduce the risk of security breaches and identity theft. This program is important to [company] and your attendance is mandatory. I look forward to seeing each of you there on [date]. Sincerely, [Company] CEO

Announcement of Employee Training

All Employee Training is done by Certified Identity Theft Risk Management Specialist through the Institute of Fraud Risk Management.

www.tifrm.net

ID Theft Plan and Sensitive and Non-Public Information Policy

SENSITIVE INFORMATION POLICY AND IDENTITY THEFT PREVENTION PROGRAM

1. BACKGROUND The risk to the company, its employees and customers from data loss and identity theft is of significant concern to the company and can only be reduced through the combined efforts of every employee and contractor. 2. PURPOSE The company adopts this sensitive information policy to help protect employees, customers, contractors and the company from damages related to loss or misuse of sensitive information. This policy will:

Define sensitive information Describe the physical security of data when it is printed on paper Describe the electronic security of data when stored and distributed

Putting the Identity Theft Prevention Program in place enables the company to protect existing customers, reducing risk from identity fraud and minimize potential damage to the company from fraudulent new accounts. The program will:

Identify Red Flags that signify potentially fraudulent activity within new or existing covered accounts Detect Red Flags when they occur in covered accounts Respond to Red Flags to determine if fraudulent activity has occurred and act if fraud has been

attempted or committed Update program periodically, including reviewing accounts that are covered and Red Flags that are

part of the program

The purpose behind an Identity Theft Sensitive and Non-

Public Information policy is to protect the non-public

information (NPI) and Personally Identifiable Information

(PII) an employer collects from customers and employees.

This Information can be names, addresses, phone numbers,

credit card numbers, drivers license numbers, bank account

numbers, social security numbers etc. Basically any data

that identifies an individual and could be used to steal his or

her identity.

Mitigating Damages

Use of ConfidentialInformation by Employee

♦ It makes Employees aware of their legal responsibilities to protect NPI

♦ It serves as proof that employees have completed the training required by law

To potentially protect yourself, you should have all employees sign this document…

Be Sure To Check With Your Attorney Before Using A Form Such As This

Cont’d – This form or one similar is required by the FTC for all employees*

* FTC – Protecting Personal Information A Guide For Business pg 15

Use of Confidential Information By Employee

I_______________ As an employee of _________________ I do hereby acknowledge that I must comply with a number of state and federal laws which regulate the handling of confidential and personal information regarding both customers/clients of the company and it’s other employees. These laws may include but not limited to FACTA, HIPPA, the Privacy Act, Gramm/Leach/Bliley, ID Theft Laws (where applicable).

I understand that I must maintain the confidentiality of ALL documents, credit card Information, and personnel information of any type and that such information may only be used for the intended business purpose. Any other use of said information is strictly prohibited. Additionally, should I misuse or breach and personal information of said clients and or employees, I understand I will be held fully accountable both civilly and criminally, which may include, but no limited to, Federal and State fines, criminal terms, real or implied financial damage incurred by the client, employee or the company.

I have received a copy of the company’s Sensitive and Non-Public Information Policy. I understand and will fully comply with its provisions along with all other rules and regulations the company has in place regarding the handling of confidential information so as to protect the privacy of all parties involved . I also acknowledge that I have participated in a company sponsored Privacy and Security Identity Theft Training Program.

________________________________________ __________________Employee Signature Date

________________________________________Witness Signature

* Subject To Terms And Conditions

The new Identity Theft laws state employers can be held liable for actual losses and punitive damages incurred by affected employees due to identity theft in the workplace. (FACTA December 2003/Texas Business Today Winter 2007)

An Employer can reduce their liability by making available to employees a personal mitigation plan. Each employees who participates in this plan can help reduce your liability to potential losses related to ID Theft.

Offering a mitigation plan as a fringe benefit or through payroll deduction is a pro-active step to create an Affirmative Defense , help reduce your risk and mitigate losses.

Reduce Company Losses

Our Our Mitigation Mitigation Plan Plan is is provided by two NYSE companies,provided by two NYSE companies,

Kroll Risk Consulting Co. & Pre-Paid Legal ServicesKroll Risk Consulting Co. & Pre-Paid Legal Services

A mitigation plan that includes Credit Montoritoring, full Restoration and access to

Legal Counsel can reduce your risk and exposure to Identity Theft

CreditMonitoring

Access to Legal Counsel

Restoration

Provides Benefits for your Employees: CREDIT REPORTS & CREDIT SCORE

You receive an up to date copy of your credit report & know how lending institutions view you!

CREDIT MONITORINGYou’ll receive prompt notice if any new accounts are opened in your name…or if derogatory notations are added to your credit report !

IDENTITY RESTORATION Get the help you need when you need it with a licensed investigator from Kroll Inc., the world’s leading risk consulting company!

PROACTIVE SEARCHES Local and national databases will be checked for criminal activity in your name, DMV records for Driver’s licenses IDT, SSN records and more….

Identity Theft

SHIELD

Forbes Magazine ranks Kroll as the world’s leading risk Consulting Company

Kroll is the only data security and breach recovery solution provider to employ licensed investigators (many former FBI and CIA agents) who

methodically restore an individual’s identity to pre-theft status.

Covers all five area of Identity Theft…..

Kroll was founded in 1972. They have over 4,000 employees and offices in 25 countries worldwide. They were acquired in 2004 by

Marsh McLennan Inc., a NYSE listed company.

Access to Legal Counsel provided by Pre-Paid Legal Services, a Access to Legal Counsel provided by Pre-Paid Legal Services, a 36 year old New York Stock Exchange Company, represented 36 year old New York Stock Exchange Company, represented by 48 provider laws firms and thousands of referral attorneys by 48 provider laws firms and thousands of referral attorneys

throughout North Americathroughout North America

Provide Proof a Mitigation Plan was offered to Your Employees

Identity Theft Protection and Legal Service (Proof of offer of a Mitigation Plan)

As an employee of _______________________ located in ____________________, acknowledge that a Pre-Paid Legal Services, Inc., independent sales associate made available to me the Identity Theft Shield and a Pre-Paid Legal Services, Inc. membership. Identity Theft Shield:

o Initial credit report and guide on how to read the report o Continuous credit monitoring o Identity restoration in the event of a theft

Life Events Legal Plan:

o Preventive legal services provided through a network of independent provider attorney law firms in each state and province o Phone Consultation with Attorneys/Review of Documents/Phone Calls and Letters for any legal matter and issues regarding

identity theft including concerns regarding my: 1) drivers license, 2) medical information, 3) social security number, 4) character/criminal identity, and 5) my credit identity and information

o A Will for me and my spouse o Motor vehicle moving violation representation o Trial defense o IRS audit o Legal Shield 24 hours a day, 7 days a week when arrested or detained o Discounted rate for other legal services

I have seen the presentation with the specific benefits, limitations and exclusions of these plans. The company made these benefits available to me at my expense.

___ I have decided to enroll. ___ I have decided not to enroll in the plan at this time.

Name: _____________________________ Date:_______________________ Signature: __________________________ Witness:_____________________

The Advisory Council was established to provide quality counsel and advice.

Legal Advisory Council

Duke R. LigonAdvisory Council Member Former Senior V.P. & General Counsel Devon Energy Corp

Grant Woods

Advisory Council Member Former Arizona Attorney General

Andrew P. Miller Advisory Council Member Former Virginia Attorney General

Mike Moore Advisory Council Member Former Mississippi Attorney General

•Former Attorney General Mississippi

•Former Attorney General Oklahoma

•Former Attorney General Arizona

•Former Attorney General Virginia

•Current President & CEO, U.S. Chamber of Commerce

•Current President & CEO, National Black Chamber of Commerce

•Former President of the American Bar Association

Public Endorsements

Just like OHSA, the American Disability Act or HIPAA, Privacy and Security laws are not optional. We can assist your company in starting the compliance process and create an affirmative defense before a data breach, loss, or theft affects your employees or customers!

Take Charge

The next step is to schedule the required employee training and set up the other reasonable steps to help reduce your liability to these Identity Theft Laws. The compliance enforcement date is fast approaching. Who is the individual, at your company, that will coordinate this activity ?

Thank Thank You!You!

Identity Theft Risk Management Group, LLC