Posted by rjbiii on April 8, 2009
The Red Flags rule, designed to tighten data security and fight ID theft, come into force on May 1. The FTC has launched a web site designed to help businesses determine if they need to comply, and how to do so.
According to the agency’s “How-to” guide (click here for a pdf version), the Red Flags rule mandates:
- The establishment of a program that includes reasonable policies and procedures
to identify the “red flags” of identity theft you a business may run across during its day-to-day operations.
- the Program implemented must be designed to detect the specific red flags that have been identified.
- the prorgram implemented spell out appropriate actions that will be taken red flags are detected.
- a process to re-evaluate current policies and programs
- implementation of policies into business practices.
Those institutions who must comply with the new rule include:
- Financial Institutions; and
- Creditors (entities who regularly grant or arrange loans or extend credit to consumers or businesses, or make “credit decisions.”)
The rules were initially slated to become effective on November 1, 2008, but the FTC granted businesses a six-month delay. That reprieve is now ending, however.
Posted in Articles, Compliance, Information Governance, Red Flags Rule, Trends | Leave a Comment »
Posted by rjbiii on April 7, 2009
Info World has posted an article casting doubt on the wisdom of using self-regulation to ensure compliance. The article highlights a story in which Macy’s has refused to provide contact information for customers who bought toy necklaces later found to contain lead. From the article:
Macy’s was one of the retailers that pulled the necklaces. But when L.A. Deputy District Attorney Daniel Wright asked for the records of customers who bought the necklaces, Macy’s refused to turn over any information. At issue is the ability to notify parents who purchased the necklaces for their children.
The article speculates that the reason for Macy’s refusal may be that the retailer is not in compliance with Payment Card Industry standards. That aside, the bottom line is that self-regulation is being given a black eye.
A study released in December of 2008 pointed out issues with respect to the EU-Dept. of Commerce Safe Harbor scheme. That study claimed that only 22% of those companies that were “self-certified” as compliant to safe harbor principles were actually compliant. The report’s basic conclusion was that the program had been ineffective.
The operational rationale behind self-regulation is undermined when we see figures such as those reported above. Information Technology’s best practices contain, as a substantial portion of its foundation, the principles embodied in active self-regulation. Recent events, from the collapse of the financial sector, to the misdeeds behind the situation facing mortgagees, illustrate the limits to self-regulation, and recall to our consciousness the maxim: trust…but verify.
Posted in Articles, Compliance, Self-Regulation, Trends | Tagged: Ephraim Schwartz, Info World | Leave a Comment »
Posted by rjbiii on December 26, 2008
Computer Technology Review has posted an article describing the effect of the FRCP on business and corporate IT departments. The article contains the now familiar refrain to proactively manage your digital resources. One nice blurb, though, discusses the difference between archives and back-ups:
This underscores the difference between an archive and a backup system. An archive in today’s regulatory and litigation preparedness sense is an actively managed set of information kept as a business record when needed and disposed of when not. Backups on the other hand are designed for near term disaster recovery and not long term preservation. But many companies have suspended the rotation of their backup media, sometimes for years, because of a fear of sanctions or even bad press resulting from the improper deletion of this potentially discoverable data. What should have been a disaster recovery mechanism is now functioning as a very inefficient archive of all historical information. This becomes magnified as companies inherit backup media through merger and acquisition. In many instances the current IT staff has no idea what data exists upon those tapes.
Posted in Articles, Back Up Tapes, Best Practices, Compliance, Data Management, Data Retention Practices, FRCP 26, FRCP 34 | Tagged: Bob Little, Computer Technology Review, Renew Data | Leave a Comment »
Posted by rjbiii on September 25, 2007
We’ve already posted once about the difficulty in deciding when it is appropriate to delete e-mails. But that article was written from the corporate perspective. Think, then, how much more difficult it can be for a state institution to comply with transparency rules:
An e-mail pops into your inbox. You scan over it. Now you’ve got a decision to make: Delete it, or keep it?
These decisions are made daily by hundreds of millions of people around the world, often without more than second of thought.
That may be fine if you’re reading a friend’s message or a consumer solicitation on your home computer. But if you are a public employee, a hasty deletion could be a crime. Really.
The AP writer is not likely familiar with compliance and discovery issues, or he wouldn’t express such surprise. Basically, the article details the difficulties on deciding when it’s okay to delete, and when it isn’t, and government units subjected to rules on openness and transparency use different templates than do businesses. So how is the fateful decision made? Same as it is in most corporations:
The responsibility essentially falls on each government employee sending and receiving an e-mail to judge whether it can be deleted or should be saved.
And ultimately, that will either have to change, or there will be consequences…
Posted in Articles, Compliance, Data Management, email | Leave a Comment »