| What are the Red Flag Rules? |
The "Red Flag Rules" amend the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The legislation lists 26 possible "red flags" that are common indicators of identity theft, and calls upon businesses who offer flexible payment terms ("covered accounts") to have a written policy on how the business will handle applicable "red flags" from that list.
|
| Do I need to be compliant with the Red Flag Rules? |
If your business offers credit or flexible payment to customers, or if your customer accounts present a reasonably foreseeable risk of identity theft, you must be compliant. To find out for sure, take our free, no-risk Needs Assessment, which will match your company against the Red Flag Rules and 5 other important pieces of compliance legislation - HIPAA, PCI, GLBA, FISMA, and FERPA
|
| What happens if I'm not compliant? |
If you are noncompliant and suffer a data breach, you may be subject to fines up to $1000 per record lost. In addition, your noncompliance makes you a target for class action litigation - even if you do not suffer a data loss, as you will have demonstrated negligence in protecting customer data.
|
| Why should I sign up, can't I create my own Red Flag Policy? |
You can create your own policy from the 26 Red Flags outlined in the legislation on www.ftc.gov. However, the legislation requires that you update your policy with new "red flags," which requires constant monitoring. We take that burden off you, providing a full year of updates for your annual subscription fee. In addition, the Red Flag Rules require an Incident Response Capability if an identity theft event or breach occurs. As a subscriber, you gain access to the leaders in data breach response.
|
| Can multiple branches or locations use just one compliance policy? |
No. The Red Flag Rules require a separate compliance plan for each physical business location that maintains covered accounts. However, if your organization has a large number of locations, enterprise solutions are available that will reduce your per-location cost. Contact us for details.
|
| I took the Needs Assessment and it says I need to comply with legislation other than the Red Flag Rules. Do you offer other solutions besides the Red Flag Compliance Module? |
Yes. Our QuickStart product will satisfy a range of compliance needs across all types of organizations. We will also release a new Compliance Module in 2009 for PCI, the Payment Card International standard.
|
| Is there a way I can contact the FTC directly regarding Red Flag Compliance and my business? |
Email redflags@ftc.gov to learn more.
|
| I've completed the Red Flag Compliance Module. Isn't this enough? |
While compliance with the Red Flag Rules is a great first step toward comprehensive information security, it does not lower your risk profile for suffering a data breach. Our QuickStart product offers a series of guides, templates and checklists that help your organization in three main areas: technical, operational, and administrative. Together, the QuickStart policies give your organization the complete foundation it needs to protect information.
|
| How can I print my Risk Assessment or Needs Assessment responses? |
The Risk Assessment appears in a frame, meaning your browser may not let you print the entire assessment with your responses. If you need a paper trail of your responses, you may want to select the text of the entire assessment prior to clicking submit, then copy and paste it into a Microsoft Word document.
|
| Shouldn't this be IT's concern? |
While they are crucial and essential, Information Technology is only one facet of true information security. Think about the case of a fired employee who is able to copy his hard drive before leaving, or the box of hard copy files that no one has gotten around to shredding. These are just two examples that fall outside ITメs control, but that could represent massive data loss. Itメs important to involve IT in the process, but ultimately, senior management must drive.
|
| How do I know where to begin? |
If you're not sure, start with our Risk Assessment. For only $60, you will gain access to an online assessment that will rank your current practices in 12 key areas against your industry and global best practices. If you decide that you need QuickStart, or any of our other products, after completing the assessment, we'll credit your $60 fee back toward your purchase.
|
| I've downloaded my policy, and it includes the word "nbsp" in it. What does this mean? |
"nbsp" stands for "non-breaking space". It means that our system failed to recognize a character in your typing, and filled it with a default "nbsp".
|
| I clicked "next" and the resulting page was "Server Error". What does this mean? |
The Readiness Center is a highly secure online environment, meaning that it may be more likely to block a response as a potential breach. If you encounter a Server Error, it may be the result of special characters or formatting within text that you customized. Click the back button on your browser, log out, then log back into readinesscenter.com. Your progress will be saved up until the stage that caused the error. Try it again without special characters or formatting.
|
| I had to step away from my desk. When I returned, I got a "Server Error." What does this mean? |
Our system logs users out after 60 minutes of inactivity for security reasons. If you step away from your desk for more than an hour and try to continue working, the system will block you. Return to the login page - your progress will be saved up until the stage prior to the one where you stepped away.
|
| Where does my Red Flag policy download? |
Your policy will download as a pdf to your desktop or the folder set in your browser's preferences for downloads. In addition, your policy will be available in your download center on your Red Flag Compliance Module or QuickStart home page.
|
| Where does my Risk Assessments results document download? |
Your results will download as a pdf to your desktop or the folder set in your browser's preferences for downloads. In addition, your policy will be available in your download center on your Red Flag Compliance Module or QuickStart home page.
|
| I am unable to see my employees' scores in the training module. |
Currently, Red Flag compliance only mandates that you have a training program in place - not that any specific score is met. Future releases of the program will include scoring so you can assess individual employees, however, for purposes of compliance, completion alone will suffice.
|
| How does the Red Flag Compliance Module help train my employees? |
Our Training Center includes short tutorial videos for employees and for management. After viewing a tutorial, an employee completes a short quiz to verify they understand the Red Flag Rules and their importance to the organization. Each employee's completion is noted on your organization's Compliance Report.
|
| My vendor has not taken the Vendor Integrity Assessment. Does this mean I am noncompliant? |
No. Compliance requires you to undertake a good faith effort to understand your vendors' programs - you're not expected to be a big brother or force them to comply. However, if a vendor refuses to take the assessment or scores very poorly, we recommend taking this fact into consideration if there is another option available, as half of all data breaches are caused by 3rd-party suppliers.
|
| The Red Flag policy creation doesn't seem to address all of the focus areas presented in the Risk Assessment. Why? |
The Risk Assessment is an introduction to the comprehensive Information Security concepts that are addressed by QuickStart. It's designed to give you a complete picture of your entire organization, and all of the potential causes of a data breach. The Red Flag Rules, on the other hand, are very specific in scope, and require you only to have a policy that mitigates the risks of identity theft. Your Red Flag policy is a great stepping stone toward comprehensive information security, but in order to secure all 12 focus areas outlined in the Risk Assessment, we recommend QuickStart.
|
| I put my Vendor's email address into the Vendor Integrity Assessment, but I received the email notification. Do I need to forward this message? |
No. You are cc'ed on the email that goes to your vendor.
|
| I put my employee's email address into the Employee Training , but I received the email notification. Do I need to forward this message? |
No. You are cc'ed on the message that your employee receives.
|
| I forgot my sales representative's phone number or email address, how do I get that information? |
Call 1-888-432-4908 to speak to a Customer Care Agent.
|
| I would like to speak with a sales representative, how do I get assigned an agent? |
Complete the form on the "Contact Us" section of the site. A representativer will be in touch with you within 1 business day.
|
| Is there a way I can test the product? |
We offer live demos every Thursday at 4PM EST when you can "look under the hood" to see how the solution works.
|
