Here we go, again!

 

It’s been fascinating over the past year to be watching the race between FTC and MA OCABR, a race for who gets to extend data protection enforcement deadlines more times than the other!

The FTC announced earlier today that it is extending the deadline for enforcement of the FACTA Red Flags Rule until November 1, 2009. This is third extension of the enforcement deadline in less than nine months by the Federal Agency. Apparently they don’t want to be outdone by MA OCABR,  the deadline for whose 201 CMR 17.00   is currently under second extension  (also see my blog earlier this year).

Jokes apart, both regulations are serious business and no one can deny that they are both very important to protecting the consumer in an age and time when Identity Theft is perhaps the fastest growing crime in the United States.  There seems to be a common reason for the extension of both regulations – that the small players and businesses in this economy can not afford to comply with the requirements of the respective regulations. And, that is what I would like to  focus on here.

I suspect many medium and big corporations and organizations have already implemented programs and processes to comply with the requirements of the Red Flags rule and therefore, FTC is probably right in extending the deadline for the sake of small businesses and what it likes to call low-risk entities. Take the following quote from today’s announcement,  for example,

“Although many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations”

I only hope that it is not the interpretation here that small entities are also low-risk. In my experience, it could often be the contrary. Because the small entities have far fewer customers than the larger entities, it might be tempting to think that there is a low probability of identity theft. The problem is that many small entities (as FTC rightly states) aren’t there yet in terms of having even the basic procedures and processes in place to safeguard and protect their customer data. While large organizations fear loss of reputation and resulting loss of stockholder value smaller and closely held entities do not have any such deterrent. And therefore, they are often inclined to cut corners and fail to implement even the basic controls which they could certainly afford.

Here is my question – Is continued extension of deadlines the answer  to improving compliance by the small entities?   I disagree to an extent. Sometimes, I think that it might be a good idea to wield the stick on smaller entities through their corporate customers. We have all heard about the importance of vendor management and I think it is time to enforce strong data protection controls as part of vendor management contracts.  FFIEC, one of the other federal agencies enforcing the FACTA Red Flags Rule, in fact, found Vendor Management to be a  weak area in its examination. One way to ensure increased compliance by smaller entities might be to require organizations with a certain minimum revenue to enforce specific stricter data protection controls over their vendors.  I’m sure, there are, more and perhaps innovative ways to do this.

Lastly, I think it is time that the focus shifts across the board (and not a specific category of organizations as the FACTA Red Flag Rule focuses on)  to data protection rather than data breach notification. And, that is why I think MA 201 CMR 17 is a pioneer regulation. 

To wrap up, I think regulatory and enforcement agencies need to be creative and apply some innovation as they go about their job of protecting consumer privacy. I’m almost convinced that repeated extension of enforcement deadlines is not the answer.