In less than 60 days, nearly every company in Oklahoma will find itself facing federal identity theft mandates that remain relatively unknown despite several high-profile cases and extensions.
"Anyone that invoices anything is now a creditor," said Herman J. Luette, owner of IDT Consultants of Tulsa, in paraphrasing Federal Trade Commission interpretations of the Fair and Accurate Credit Transaction Act. "That leaves very few companies out."
Although securing personal information has plagued companies since the personal computer and Internet changed business practices, the immediate issue focuses on the May 1 compliance deadline for the "Red Flag" provisions of FACTA.
That deadline extended the original Nov. 1 date the FTC set for companies to develop and deploy an identity theft prevention program. Luette said the question of just who was a creditor had confused many executives, who had thought the rules applied only to financial institutions or credit information users.
Even with the deadline looming, Luette doubts 1 percent of Oklahoma companies now comply with the new regulations, which requires firms to name an information security officer, establish privacy and safeguarding rules, train workers on both the rules and systems, and ensure that all of their third-party vendors comply with the laws, among other risk-mitigating steps.
"It's kind of like having a shredder - everyone has one, but how much do they use it?" said Gavin W. Manes, president and chief executive of the Tulsa digital forensics company Avansic.
Although he's done what he can to spread the word, signing up 1,100 clients in Oklahoma and four other states, Luette doubts 90 percent of executives even know the laws exist.
"Normally, when we secure a server, the financials and the human resource files are immediately what a company wants to protect," said Tim Jackson, owner of Tulsa's information technology consulting and service firm Jackson Technical. "Beyond that, we don't see a lot of controls being set up."
Manes said such security concerns dovetail with other federal regulations, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. While the cost of noncompliance can be staggering - TJMaxx now faces more than $118 million in penalties and damages in its still-developing credit- card records case - Manes said many firms don't realize the risk they face under increasingly complex liability rulings that hold companies guilty until proven innocent.
"Companies definitely have a problem with data retention and management to begin with, and e-mail is the number one problem," he said.
But the rules also reflect security risks that have nothing to do with electronic systems, he said - some as innocent as executives simply leaving correspondence sitting in piles on a desk, easily accessible by others.
"Many companies are well-prepared for an outside threat," said Manes. "A good percentage is prepared for an outside threat. But what about an internal threat, from employees? …