The regulations implementing the federal Fair and Accurate Credit Transactions Act ("FACT Act") require many businesses to implement an identity theft prevention program by November 1, 2009. Businesses that must comply include hospitals and other healthcare providers, automobile dealers, retailers, banks, telecommunications companies, public utilities, government entities that provide electrical, water, sewer, garbage collection, or other services, and other companies that maintain information about individuals in their customer account files and databases. (We use the word “company” below to refer to each of these businesses.)
Board Approval. The company’s Board of Directors, or a committee of the Board, must approve the company’s initial program. The program must have the following elements:
- FACT Act Officer. The company must appoint an employee at the senior management level to serve as its FACT Act officer and to be responsible for its implementation of the program. At least annually, the company’s FACT Act officer must require reports from responsible persons in the company that evaluate the program and the company’s recent experiences with identity theft.
- Identifying Red Flags. The company must identify patterns, practices and specific activities that could occur in its business (called red flags) and that would indicate the possible existence of attempted or completed identity theft.
- Detecting Red Flags. The company must seek to detect red flags that occur in its business operations and must establish reasonable safeguards designed to prevent identity theft.
- Responding to Red Flags. The company must establish policies to respond to red flags that it detects based on the degree of risk a particular red flag poses.
- Service Provider Compliance. If the company engages a service provider to perform an activity in connection with its customer accounts, the company must take reasonable steps to ensure that the service provider performs those activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
Updating the program. The company must update the program and its associated policies and procedures periodically to address current developments in identity theft risks and to improve its methods of addressing those risks.
Civil Penalties and Damages. A violation of the FACT Act regulations constitutes an unfair or deceptive act or practice in commerce in violation of Section 5(a) of the Federal Trade Commission Act. A knowing violation subjects the company to a civil penalty of up to $2,500 per violation. If a company negligently fails to comply, it may be liable to affected customers for their actual damages and reasonable attorney’s fees. If a company willfully fails to comply, the court is authorized to award affected customers punitive damages.
If you have questions about the FACT Act or would like assistance in establishing and implementing your company’s compliance program, please contact one of the following Parker Poe lawyers:
Stephen R. Hunting
William B. Cannon