Monday, August 9, 2010

Assessing Associations' Identity Theft Red Flags and Risks

Here's the second half of the article I posted a couple of weeks ago by Thomas A. Cohn and Jeffrey S. Tennenbaum at Venable, LLP.  Assessing Associations Identity Theft Red Flags and Risks This would be a sample worksheet to help you assess your risk.  It's probably be helpful to you to re-read the above article before beginning this one.  We hear so much about identity theft these days and certainly no database is safe, but it is incumbent on nonprofits to do everything they can to keep people's most sensitive information safe.  Bunnie

ASSESSMENT OF ASSOCIATION’S ACCOUNTS/SERVICES, METHODS FOR OPENING ACCOUNTS, METHODS FOR ACCESSING ACCOUNTS


[Association] allows customers to open and access accounts and conduct transactions in-person, by mail, by telephone, and online [modify and change accordingly, both here and on following charts, to eliminate any irrelevant charts or portions thereof]. The risk of identity theft relating to the type of account, and the means of opening and accessing accounts and conducting transactions, are assessed below:

IN-PERSON


Accounts Offered Interaction IDT Experience Risk

Large corporate accounts

Small corporate accounts

[insert any other distinct types of account]

Sole proprietorship/ individual accounts

The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].

BY MAIL

Accounts Offered Interaction IDT Experience Risk

Large corporate accounts

Small corporate accounts

[insert any other distinct types of account]

Sole proprietorship/ individual accounts

The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].

BY TELEPHONE

Accounts Offered Interaction IDT Experience Risk

Large corporate accounts

Small corporate accounts

[insert any other distinct types of account]

Sole proprietorship/ individual accounts

The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].

ONLINE

Accounts Offered Interaction IDT Experience Risk

Large corporate accounts

Small corporate accounts

[insert any other distinct types of account]

Sole proprietorship/ individual accounts


[Note: In determining the association's risk regarding accounts/services and methods for opening and accessing accounts/services, you should review all types of accounts/services offered to customers, and note any restrictions on accounts/service availability that might mitigate risk. Also, review all methods for opening and accessing accounts/services and any restrictions that might mitigate risk.]

ASSESSMENT OF ASSOCIATION'S PRIOR EXPERIENCES WITH INFORMATION SECURITY BREACHES AND/OR IDENTITY THEFT CONCERNING CUSTOMER ACCOUNTS

[Association] had [number] data security breach[es] in XXXX, 200X [if true, and modify number and response accordingly]. No customer account information was accessed, and no customer accounts were accessed. In response to this breach, [Association] ______________________ [e.g., monitored accounts for a period of X months and instituted additional identification checks for accessing customer accounts to conduct transactions].

To date, [Association] is aware of [number] occurrence[s] of identity theft, concerning unauthorized access to our customer accounts, either in account opening, account access, or transactions conducted. In response to these occurrences, [Association] ______________ [issued a full credit to each affected customer, and instituted additional identification checks for accessing customer accounts to conduct transactions]. [if true, and modify number and response accordingly].

[Association] maintains all regulatory alerts and business guidance on the Identity Theft Red Flags Rule (16 C.F.R. Part 681) (the “Rule”) issued by the Federal Trade Commission (“FTC”). Based on the above risk assessment and all applicable FTC alerts and business guidance, [Association] assesses the risk to its customer accounts from identity theft to be low. Because these are accounts for which there is not a foreseeable risk of identity theft, these accounts are not “covered accounts” within the meaning of the Rule.

[Note: In determining the association's risk regarding prior experiences with information security breaches and/or identity theft, you should include a description of any past experiences, including the steps taken by the association to prevent any further experiences. Also include other factors such as regulatory actions/findings; legal actions; insurance coverage; and/or independent analysis of any third-party vendors.]

CONCLUSION

While [Association] is a “creditor” within the meaning of the Rule, its customer accounts are not “covered accounts” under the Rule. Based on the above risk assessment, [Association] determines its overall risk regarding identity theft to be low. [but see Note below, if overall risk is medium or high] Because [Association] does not offer accounts for personal or household purposes, and because its customer accounts have experienced few occurrences of identity theft, when viewed in relation to either the total number of accounts or the total number of annual transactions, these accounts do not face a foreseeable risk of identity theft. Therefore, they are not “covered accounts” within the meaning of the Rule.

Because [Association]'s customer accounts do not fall within the scope of the Rule, [Association] is not required to establish any specific Policies or Procedures in order to comply with the Rule. [Association] will conduct a similar Risk Assessment annually, in order to determine whether any changes in identity theft threats have caused its accounts to be considered “covered accounts” under the Rule, and thus to require enactment of such Policies or Procedures.

[Note: The risk assessment should reach an overall conclusion as to the association's risk regarding identity theft. The above conclusion is drafted with a low overall risk assessment, and hence no Rule coverage. However, if the overall risk assessment is medium or high, then the association may conclude that such risk is in fact "reasonably foreseeable" and therefore proceed to develop and enact the Policies/Procedures required by the Rule.]

SIGNED:

NAME/TITLE:

DATED:

* * * * * *

For more information, please contact Thomas A. Cohn at 212.370.6256 or tacohn@Venable.com or Jeffrey S. Tenenbaum at 202.344.8138 or jstenenbaum@Venable.com.


This article is not intended to provide legal advice or opinion and should not be relied on as such. Legal advice can only be provided in response to a specific fact situation.

5 comments:

  1. Thanks for sharing this info, Bunnie. As I read it, I was reminded that donors give to organizations they perceive as well-run and competent. It is unfortunate that one "hacking" incident could damage donors' trust.

    ReplyDelete
  2. Thanks for sharing a format to use with this touchy topic. Charlaine

    ReplyDelete
  3. I have to admit, this is a topic I've not thought of. Thank you for taking the time to educate me!

    ReplyDelete
  4. "Doing the right thing" when it comes to the handling and communication of personal data will help build and keep trust with those your depend on. Thanks for raising our awareness about the topic of identify theft.

    ReplyDelete
  5. This is a good reminder that we as fundraisers must do everything we can to safeguard our donors' information.

    Sandy Rees

    ReplyDelete