Two security industry veterans have teamed up to bring education, awareness and resources to businesses in need of guidance to become compliant with the federal Fair and Accurate Credit Transaction Act (FACTA). Kathryn Felten and Alicia Nickols are certified data security and privacy specialists and have backgrounds in group training and identity theft issues. Felten joined Nickols, founder of E3 Solutions LLC in Thiensville, in 2006 to offer businesses the complete package in compliance.
FACTA was originally created in 2003 in an attempt to protect consumers from discrimination and identity theft and to regulate merchants on protecting private consumer information. Since 2003, identity thefts have increased in both quantity and severity, and Internet merchants have experienced increasing breaches of security.
In an attempt to curb the rising security risks, the Federal Trade Commission (FTC) has put compliance regulations in place, holding businesses accountable for security breaches. However, many companies don’t know about the regulation or how to protect against identity theft, Felten said.
“Consumers are going to become more savvy and are going to start asking about company policies and procedures,” Nickols said. “Companies need to get a plan of action in place, get the framework in place and tell customers how they protect their information.”
In 2005, Betsy Broder, assistant director in the division of planning and information for the FTC, addressed the Select Committee on Information Security of the Pennsylvania House of Representatives on identity theft and data security and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. In addition to speaking about the regulations enforced on financial institutions and the repercussions experienced by companies who were deceptive regarding their security practices, Broder addressed the responsibilities of all businesses.
“Given the wide variety of entities covered, the GLBA Safeguards Rule requires a plan that accounts for each entity’s particular circumstances – its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles,” Broder said.
“We want to make sure that non-public information is properly handled, stored, disposed of and that procedures are in place for before, during and after a breach,” Nickols said.
E3 Solutions can help a company elect a compliance officer, schedule a disposal assessment, schedule a walk-through assessment and an IT assessment.
“We go over with them the things they need to implement,” Nickols said. “From that, we create the policies and procedures that are required for compliance with the Federal Trade Commission.”
Once the assessments are completed and a company’s vulnerabilities are found, E3 Solutions works with the business to enhance security.
E3 Solutions continues to offer training to its clients on a quarterly basis to educate employers and employees on new regulations as well as train new hires. E3 Solutions also offers annual re-assessments to companies to ensure they are still in compliance, Nickols said.
“Even if you have one employee and you misuse the information on that employee, you can get fined between $2,500 and $1 million per occurrence and receive up to 10 years in jail for executives and removal of management,” Felten said.
E3 Solutions mainly works with the private sector but has done some work with government agencies, as well as schools and churches, Nickols said.
“Our challenge is to help business owners know that this is beneficial to them because they don’t have time to think about it and we do,” Nickols said. “Of the companies we have met with in the past five or six months, there was one that actually was aware of the need for a plan and knew something had to be put in place. For every other company, we were offering new information and experienced fear, anger and disbelief.”
“Identity theft is not going away, and it is getting bigger and bigger,” Felten said. “One hundred million people were affected between February 2005 and just before December of 2006. Crooks, thieves, insiders and mistakes are costing money to companies.”
A case in point: Alpharetta, Ga.-based ChoicePoint Inc. admitted in 2005 that the data of about 140,000 customers was stolen. In January 2006, the FTC announced ChoicePoint was given a $10 million fine with an additional $5 million tacked on to compensate its customers for losses stemming from the breach.
“If a company has laid out policies and procedures ahead of time and employees have signed statements agreeing breaches cannot happen, a company might be able to reduce those costs,” Felten said.
