As we continue to talk about cyber security plans, we have to talk about The Red Flag Rule, which requires many businesses to develop and implement a formal, written Identity Theft Prevention Program for the purposes of detecting the warning signs, or "red flags", of identity theft throughout their day-to-day operations. Here’s what else you need to know:
The first step is to identify the relevant red flags you might come across that signal that people trying to get products and services from you aren't who they claim to be. The second step is to explain how your business or organization will detect the red flags you've identified. The third step is to decide how you'll respond to any red flags that materialize. Do you use service providers who might detect any of the red flags you've identified? For example, if you hire a company to handle your Part Two Call Center activities talk to them to see that they're following your Program or have their own that complies with the Red Flags Rule.
Most corporate liability insurance policies do not cover losses due to cyber-attacks, errors or omissions. Cyber insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce has described cyber insurance as a potentially "effective, market-driven way of increasing cyber security" because it may help reduce the number of successful cyber-attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured's level of self-protection; and limiting the level of losses that companies face following a cyber-threat.
Last but not least, encrypt at rest, in transit and include a process for data and hardware destruction. Your greatest hope for protecting NPI is encryption. Most laws and regulations will ignore encrypted data if compromised; they call this "Safe Harbor."
We all have the responsibility to protect and account for the use of NPI. Whether you're paper or electronic based with your processing, the laws and rules remain the same. Top down, these are the points to focus on:
- Encrypt everything
- Get Cyber Insurance
- Train and educate your employees
- Comply with laws and regulations