Identify Theft Red Flags

West Virginia Executive Branch
Privacy Policy: Accountability, Security Safeguards

Identify Theft Red Flags

Question:

My wife is a veterinarian in private practice and has been hearing about something she refers to as “Red Flag Rules.” She seemed to think I should know something about these rules through the Privacy and Security trainings I’ve taken. Well, I don’t like to admit it but I’m clueless here! Can you help?

Answer:

There has been much discussion in the privacy press about the proposed Federal Trade Commission “Red Flag Rules.” These rules would require every company that offers consumer credit – even just payment in arrears – to implement a program to detect and prevent identity theft. Because the rules would impact virtually every professional, from doctors and dentists, to lawyers, to plumbers and other service people who send invoices for their work, there are serious questions as to whether the rules are too burdensome. Congress is working to provide additional guidance and exceptions for small businesses, and the FTC has delayed the rules until these efforts are finalized.

Despite the controversy, there are many lessons that we can learn from the proposed Red Flag Rule. Identity fraud is a big issue for West Virginia, and there are many situations when it is vital that we know we are dealing with the right person. For example, we need to authenticate people’s identities when we provide employee benefits, deliver healthcare, issue driver’s licenses, and distribute other government benefits.

The Red Flag Rule lists 26 “flags” that could indicate that a person is using a false identity. These flags are grouped into 5 categories: 

    1. Alerts from a consumer reporting agency – such as the fact that a person has an active duty military alert or a credit freeze on his or her credit report; 

    2. Suspicious documents – such as presentation of an ID document that looks altered, or where the photo does not match the person presenting it; 

    3. Suspicious personal information – such as names or addresses that don’t match identifying documents, or other suspicious information such as a Social Security number that is associated with a deceased person in the Social Security Administration Death Master File or an address that is a mail drop; 

    4. Suspicious account activity – such as unusual change of address requests, or use of an account that is consistent with known patterns of fraud; or 

    5. Notice from other sources – such as a call from a consumer stating that she has been the victim of identity theft or an alert from law enforcement.

Even if the Red Flag Rule never takes effect, it still provides useful guidance on the types of identity theft indicators that exist. If you deal with consumer applications, take a few minutes to read the rule and familiarize yourself with these flags! The FTC Red Flag website can be found at: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

Note: Your agency/bureau/department/division may have specific requirements – always check your policies and procedures. If you have questions, contact your Privacy Officer.