What does the identity theft prevention program have to contain?
The program must contain policies and procedures that will (1) identify “red flags” that are relevant to the business, (2) detect red flags that have been incorporated into the program, (3) respond appropriately to any red flags that are detected, and (4) update the program periodically to reflect changes in risk to customers or to the safety and soundness of the entity from identity theft. Moreover, each program must be overseen by the entity’s board of directors, an appropriate committee, or a member of senior management. An affected entity will need to review and update its program on a periodic basis. Fortunately, the rules allow entities to incorporate existing policies and procedures into this new program. What is a “red flag”? The covered entity determines what its red flags will be. However, the entity is required to at least consider the 26 examples included in guidelines that were appended to the Final Rules. An example of a red flag would be when a fraud or active duty alert
