Georgia Retail Association
Georgia Retail Association
Georgia Retail Association
About GRA
Leadership Letter
Government Affairs
Member Services
Join GRA
GRA News
Key Links
Contact Us
Georgia Retail Association
Back to Home
Georgia Retail Association Georgia Retail Association


An Introduction To FACTA (Fair & Accurate Credit Reporting Act)


In an accompanying article you will read how GRA has fought to suppress file freeze legislation for the last two or three years. Many legislators seem unable to grasp that identity theft is a crime with serious consequences for both the consumers and businesses alike. According to the national Identity Theft Resource Center, of the approximately 44 million Americans who have been the victims of identity theft at some point, each spent an average of 600 hours and $1,495 getting their finances straightened out. And that does not include attorney's fees.


With the focus on the consumer alone, Georgia legislators have introduced at least three bills which ignore the cost of identity theft to businesses. Most consumer protection laws help to limit the financial liability for the victims of identity theft, leaving businesses to bear the brunt of costs for account balances, goods, or services lost to identity thieves.


According to the 2005 Javelin Identity Fraud Survey Report published by Javelin Strategy & Research and the Better Business Bureau, in 2004, identity theft cost financial institutions and businesses an estimated $52.6 billion. In addition, there are indirect costs to businesses such as lost productivity and allowing employees who are victims extra time off to resolve identity theft.


Identity Theft is the fastest growing crime in the United States. In order to help fight it, Congress expanded the federal Fair Credit Reporting Act (FCRA), adding a Fair & Accurate Credit Reporting Act (FACTA) in 2003.


The new legislation addressed privacy issues, placed limits on the sharing of credit information, required a higher level of accuracy, established new consumer rights and included new disclosure regulations.


These new provisions also created serious new responsibilities and potential liabilities for retailers. Under the new regulations retailers could be sued, fined, or become a defendant in a class-action lawsuit if data aiding an identity theft originates from a security breach of its files. Now retailers were responsible, not only for people getting your personal information, but also responsible whenever another's personal information was stolen.


Under the new law, every consumer is allowed to get one free copy of their credit report each year at www.annualcreditreport.com or by calling 877-322- 8228. There are three major credit reporting companies in the United States.


Beginning on December 1, 2006, retailers were required to leave off all but the final five digits of a credit card number on electrically printed store receipts, and the law also required the "shredding or burning" of all paper and the "smashing and wiping" of all computer discs containing personal information "derived from a consumer report" before they are discarded. The law applied to any business, regardless of size, that collects personal information or consumer reports about customers or employees to make decisions within their business (including names, credit card numbers, birth dates, home addresses and more).

According to the Federal Trade Commission, reasonable measures include burning, shredding, or pulverizing documents so they become impossible to put back together or read. Strip shredders are not good enough; it needs to be a cross-cut shredder. Erasing media files or electronic files that contain any consumer reports so that they cannot be reconstructed or recovered.

If personal information isn't destroyed and it gets out, FACTA provides penalties including:
* Civil liability. An employee could be entitled to recover actual damages sustained if their identity is stolen from an employer. Or, an employer could be liable for statutory damages for up to $1,000 per employee.
* Class action lawsuits. If large numbers of employees are impacted, they any be able to bring class action suits and obtain punitive damages from employers.
* Federal fines. The federal government could fine a covered business up to $2,500 for each violation.

Each business should have a written plan describing how customer data will be safeguarded and a staff member or company officer designated to be responsible for implementing that plan. According to the FTC, a "reasonable" plan to safeguard personal information includes:
* Designating an employee (or employees) to coordinate and be responsible for the security program.
* Identifying "material internal and external" risks to the security of these personal data (with such a risk assessment including employee training on the detection, prevention, and response to attacks or other system failures).
* Designing and implementing reasonable safeguards to control the risks identified in the risk assessment.
* Continually evaluating and adjusting the security plan in light of the results of ongoing monitoring and testing of the program, material changes to business arrangement, or to the company's operations, or "any other" circumstances that could have a material impact on the effectiveness of the security plan.
* Creating a mitigation plan. Even with the FTC's focus on "reasonable" security measures and "appropriate" risk levels, there is still the real possibility that security breaches may occur, regardless of what precautions are taken. This mitigation plan should kick in when there is a privacy or security breach and there is a need to "repair it" immediately in the eyes of customers, government regulators, and management.






 
 

Copyright©2002 - Georgia Retail Association