In less than 60 days, nearly every company in Oklahoma will find
itself facing federal identity theft mandates that remain relatively
unknown despite several high-profile cases and extensions.
"Anyone that invoices anything is now a creditor," said Herman J.
Luette, owner of IDT Consultants of Tulsa, in paraphrasing Federal
Trade Commission interpretations of the Fair and Accurate Credit
Transaction Act. "That leaves very few companies out."
Although securing personal information has plagued companies
since the personal computer and Internet changed business practices,
the immediate issue focuses on the May 1 compliance deadline for the
"Red Flag" provisions of FACTA.
That deadline extended the original Nov. 1 date the FTC set for
companies to develop and deploy an identity theft prevention
program. Luette said the question of just who was a creditor had
confused many executives, who had thought the rules applied only to
financial institutions or credit information users.
Even with the deadline looming, Luette doubts 1 percent of
Oklahoma companies now comply with the new regulations, which
requires firms to name an information security officer, establish
privacy and safeguarding rules, train workers on both the rules and
systems, and ensure that all of their third-party vendors comply
with the laws, among other risk-mitigating steps.
"It's kind of like having a shredder - everyone has one, but how
much do they use it?" said Gavin W. Manes, president and chief
executive of the Tulsa digital forensics company Avansic.
Although he's done what he can to spread the word, signing up
1,100 clients in Oklahoma and four other states, Luette doubts 90
percent of executives even know the laws exist.
"Normally, when we secure a server, the financials and the human
resource files are immediately what a company wants to protect,"
said Tim Jackson, owner of Tulsa's information technology consulting
and service firm Jackson Technical. "Beyond that, we don't see a lot
of controls being set up."
Manes said such security concerns dovetail with other federal
regulations, such as the Health Insurance Portability and
Accountability Act and the Gramm-Leach-Bliley Act. While the cost of
noncompliance can be staggering - TJMaxx now faces more than $118
million in penalties and damages in its still-developing credit-
card records case - Manes said many firms don't realize the risk
they face under increasingly complex liability rulings that hold
companies guilty until proven innocent.
"Companies definitely have a problem with data retention and
management to begin with, and e-mail is the number one problem," he
But the rules also reflect security risks that have nothing to do
with electronic systems, he said - some as innocent as executives
simply leaving correspondence sitting in piles on a desk, easily
accessible by others.
"Many companies are well-prepared for an outside threat," said
Manes. "A good percentage is prepared for an outside threat. But
what about an internal threat, from employees? …