It's no surprise that as the scope of the Internet and the services it provides the public grows that national legislators are behooved to pass laws to ensure public safety and security online. One such piece of legislation is the Fair Credit Reporting Act (15 U.S.C. 1681m(e)), also known as the “Red Flag Guidelines” (RFG).
The RFG states that creditors and health care practices that hold “covered accounts” must detect and identify warning signs (or red flags) of identity theft. There have been regulations in place since 2003, but the US House of Representatives recently passed a new bill that amends the original law (H.R. 3763). This amendment will go into effect on November 1, 2009. The largest change to the rules is that exemptions have been put in place for some small organizations:
(A) a health care practice with 20 or fewer employees
(B) an accounting practice with 20 or fewer employees
(C) a legal practice with 20 or fewer employees
(D) any other business, if the Commission determines, following an application for exclusion by such business, that such business
i. knows all of its customers or clients individually
ii. only performs services in or around the residences of its customers; or
iii. has not experienced incidents of identity theft and identity theft is rare for businesses of that type.
This has huge implications on small firms. First, Small firms no longer have to shoulder the same burdens that larger firms do. This will allow your business to stay flexible and focus on growing. Small firms' owners should be ecstatic about this legislation as it will make any small firm much more competitive.
There is one key point that managers of the exempted organizations should keep in mind. If you don't take some initiative to ensure data privacy of customers, consumers will notice and choose a bigger business that is forced to do so. You may or may not be able to bring in business with claims of “just as secure as the big guys”, but if you have one data leakage incident, you can't recover as easily as the big guys, if at all. Small businesses that are exempt should still hire a competent security expert to enter the business and give advice on the different options that are available.
Using a UTM with robust logging and reporting can handle the majority of the task and will still keep you competitive. Picking and choosing different parts of the UTM will also work. Take the time to fully understand the challenges that are unique to your business. Then make decisions accordingly. Your customers will thank you with more business.
More reading on the subject of Red Flag Guidelines:
The original article/video can be found at Red Flag Guidelines and Small Business