Identity Theft - Protecting Yourself and Your Clients

By: Mari J. Frank, Esq.

Massive security breaches of sensitive personal information are on the rise, and identity theft continues to claim million of victims. It could happen to you, your firm, or your clients. When my own identity was stolen in 1996 by a woman I never met in a city four hours north of my office, I was shaken. My "evil twin" stole over $50,000 worth of credit in my name, used my good reputation and credit to buy a red convertible, totaled a rental car for which I was sued, and worse yet assumed my profession as an attorney distributing business cards with my name. There were no laws making identity theft a crime at the state or federal level (for consumer victims). As an advocate for other victims, I joined task forces, helped write legislation, testified in Congress and had discussions at the White House.

You certainly have seen horror stories about this crime on television, and you may be concerned about this happening to you, your firm, your family, or your clients - since no one is immune. Javelin Strategy & Research issued its 2010 report on identity fraud occurrences from 2009. They found that the instances of identity theft reached record numbers in 2009 with an estimated 11.1 million adult victims of identity theft with total fraud amounting to $54 billion. Americans are worried about identity theft. According to an October 2009 Gallup Poll, identity theft was the top concern with 66 percent of respondents saying they frequently worried about identity theft. My goal in this article is to help you understand your vulnerabilities, and give you tools to minimize your personal and professional risks.

The truth is, no matter how careful you are with your information, you, your firm and your clients are vulnerable because sensitive information is out of your control when it is in the hands of third party companies or governmental agencies. This crime has skyrocketed due to the careless information handling practices of businesses, organizations and governmental entities that collect, store, utilize, and share your personally identifiable data. Without strict guidelines and real enforcement (allowing a private right of action), the problem has grown worse.

As an attorney, you are in a distinct position to protect the sensitive records that you maintain about your staff and clients. You have a duty to report security breaches yourself. Most states have security breach notification laws such as California which require all businesses and state governmental agencies that experience a security breach (an acquisition of unencrypted electronic files of sensitive information by unauthorized persons) to notify all potential victims of the breach so that they may protect themselves with a fraud alert, a security freeze or other means. Federal guidelines for financial institutions encourage safeguards and notification as well under the Gramm-Leach-Bliley Act, and on August 19, 2009, the federal Department of Health and Human Services (HHS) issued the interim final rule regarding notification of breaches of unsecured protected health information under the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996. There are numerous pending federal bills which would require alternative security breach triggers for notification which would preempt state laws. From February 15, 2005 through June 3, 2010 there was public reporting of the security breach of 354,568,866 records of personal identifying information. It’s important to remember that not all security breaches are required to be publically reported and of those that are reported, many of the incidents do not reveal the actual number of records lost or stolen. So this number of records is far below the actual number.

Before you can protect yourself, your staff, your firm and your clients from identity theft, you must understand just exactly what it is and how it happens. Simply, you become a victim of identity theft when an unauthorized person uses your personal identifiers, like your name and Social Security number, to impersonate you to commit fraud. An individual may become a victim or a business or law firm may itself become a victim. Imposters will steal identities for four main reasons — financial gain (the major reason); to avoid arrest or prosecution; revenge or jealousy; and terrorism. There is no limit to the creativity of these impostors, because whatever you can do or obtain with your identity (personal or business), your impersonator can also do as your "clone."

Financial Gain

John, Esq. and his wife were in the process of buying their first house, when John’s credit reports showed that he was delinquent on payments for credit accounts that were not his. The couple’s credit is flawed by outstanding bills of $35,000 for accounts from Citibank Credit Card Company, Chase, and American Express, which precluded them from purchasing their dream home.

Using your credit is an easy way for criminally minded persons to steal from innocent, good people like you. With this "faceless crime," a perpetrator doesn’t have to use a gun or ever meet the victim. All he or she needs is a bit of information. Right now the key to the kingdom of identity theft is the Social Security number (SSN). In the near future it may be a fingerprint, an iris scan or another unique “piece of your body” called biometric information that is transferred electronically via the Internet, or it may even be a radio frequency identifier (RFID). The game is the same — fraud.

Not only can the thieves obtain new credit and cards using your information, but also now with tighter credit they make greater efforts to siphon money from your bank accounts, investment accounts, trust funds, college accounts and retirement plans. They can obtain life insurance in the victim’s name (and make themselves the beneficiary), secure medical services, have babies using another’s health insurance, get medical care, steal your disability payments or Social Security checks, receive unemployment or disability compensation, get your tax refund, or even file bankruptcy using your identity. They can create bank accounts in your firm’s name and deposit fraudulent checks, and your firm is later on the hook.

Steve and Linda, both attorneys, had experienced what they call a living nightmare. For more than two years, an identity thief had used their names and Social Security numbers to open 30 credit accounts, making purchases totaling more than $100,000. The imposter had also purchased a Jeep Cherokee. The couple had been hounded almost daily by collection agencies. There was even a civil suit filed against them for nonpayment of a furniture bill.

Indeed, identity theft is increasing at epidemic proportions and financial rewards are the leading reason for this crime. Below are examples of the top six types of financial hoaxes that fraudsters can commit using your identity:

1. Credit card fraud

George, Esq. opened his credit card billing statement and saw $2,000 worth of charges he didn't recognize — all orders for merchandise and gasoline in another state. Yet his credit card was still in his wallet. He discovered he had been skimmed. It may have happened at a restaurant when the fraudster-waitress smiled at him, took his credit card, then ran the card's metal strip through a skimmer, which copied the information imbedded in the metal stripe. All that the thief had to do was download the information and copy to fraudulent cards. Sally, Esq. found out her debit card number was used by her secretary on the Internet to purchase Christmas presents for her family.

2. Utility theft

Laura, Esq. a Southern California resident, began to receive collection calls regarding delinquent phone accounts in Northern California. She learned several men in a California penal institution had used her SSN, not her name, to open up phone accounts. Her SSN was associated with several men’s names associated with many different telephone numbers.

3. Bank swindles

Stacy, a law student, learned that her impostor deposited $8,000 worth of phony checks into her checking account, and then proceeded to make new checks using the account to buy goods and services. All of Stacy’s own checks bounced and her bank refused to help her, accusing her of conspiracy.

4. Employment deception

A large top notch law firm in Southern California found out that one of its associate “lawyers” was an impersonator who had gone to law school, but couldn’t pass the bar, so the impostor borrowed a similar name, the victim’s SSN and the Bar number of a licensed lawyer from Northern California.

5. Counterfeit loans

The Honorable Judge Jonathon in Southern California was horrified when he went to purchase a new car. His credit report showed two new car loans for cars he didn’t purchase. His credit was destroyed.

6. Newly created checks

A large law firm in Texas noticed that thousands of dollars were missing from their retainer account. What happened? A thief created new checks from an office store using the account number and routing number of the firm’s checking account.

Criminal Identity Theft: Avoiding Arrest or Prosecution

Brian Esq. learned that someone with similar physical features used Brian’s name when he was arrested for various criminal offenses. He recently panicked when he found out that the impostor was also a sex offender and a neighbor in his office building.

Imagine this: You’re sitting at your computer at work and two law enforcement officers approach you to ask for your identification. They begin to interrogate you, and then, in front of your colleagues in the firm, tell you that they have a warrant for your arrest; they handcuff you and lead you to the police station. You learn someone has used your identity to commit a crime that you know nothing about. You will need to provide fingerprints to the police, obtain the arrest and court records, make motions to clear your name and obtain a Certificate of Innocence, and rectify the public records with the data brokers and check the Internet for data re-sellers who may still report the fraudulent criminal record.

Revenge: Retaliation

Tom and one of his former client’s had a falling out after a case went sour. Unbeknownst to Tom, his former client set up an e-mail account using Tom’s name and sent embarrassing and degrading emails to the firm’s staff and to the opposing firm trying to discredit Tom and his professionalism.

These are examples of Cyber Identity Theft which is a growing concern with the vastness and anonymity of the Internet.

Cloning your small firm

Stan, Esq. learned that his website was hijacked by an imposter. A blog owner set up an account in his name. An old foe was out to discredit him. It’s easy to do.

Martha, PhD and expert witness in a custody case, learned that the husband of the client who hired her created a social networking profile that was meant to ruin her reputation in court.

Terrorism

Over half of the terrorists who committed the atrocious acts of 9/11 committed identity theft. All of them used false documents. They used fraudulent identities to obtain credit cards, cell phones, hotel rooms and even flying lessons. They avoided apprehension by assuming identities, and more disturbing, they stole identities for revenge against our way of life.

How Do Thieves Appropriate Your Identity?

• They steal mail from mailboxes or office mail.
• They may work in your firm or clean your office at night and steal sensitive information left on desks or stored in unlocked cabinets or in unencrypted files (prosecutors in Orange County, CA can tell me that 60 – 70 percent of all identity theft cases they handled are unscrupulous employees).
• They may pose as you and report an address change in order to divert your mail including those ubiquitous pre-approved offers of credit, to their address — or more likely, a drop box.
• They obtain in-home or in-office access to confidential documents.
• They might access your credit report fraudulently by posing as an employer, loan officer, car dealer or landlord. Or they might illicitly obtain your SSN and credit information while actually employed by a company with access to a credit bureau database.
• They scam you through e-mail, regular mail or by phone, pretending to be a legitimate agency or company asking for personal data (phishing or vishing).
• One of the most common methods is to gain insider access to a law firm, an agency or a bank, to pilfer personnel files and critical databases maintained by the company. The Gartner Group estimates that internal employees commit 70% of information intrusions, and more than 95% of intrusions that result in significant financial losses.
• Impersonators also use personal information they find about you in chat rooms, e-mails, social networking websites and information brokers on the Internet.
• Electronic Security Breaches are mounting, and can be as simple as stealing disk files, backup tapes, thumb drives, and a laptop or as sophisticated as electronic hacking by unscrupulous employees, or fraudsters living in a foreign country.

A member of a notorious crime ring was employed temporarily at a large corporation. He downloaded the employee list containing SSNs and dates of birth and provided this information to members of the ring. One by one, the employees’ identities were used fraudulently to obtain credit.

Consider about all the places that have your SSN and other personal identifying information - your CPA, dentist, doctors, the IRS, the State Tax Board, the credit bureaus, your creditors, your bank, your investment institutions, etc. - it is daunting. Without our ability to control access, there is no guarantee, no matter how careful you are, that you won’t become a victim yourself. In your law firm you do have control to a great extent how information is collected, viewed by others, stored, secured and protected. You have a duty to safeguard information within your control and depending on what Congress or the federal appellate courts decide you may be subject to enforcement of the federal Red Flags Rule regarding identity theft described below.

The Red Flags Rule Intended to Prevent Identity Theft May Apply to Lawyers

The American Bar Association (ABA) filed a three-count complaint against the Federal Trade Commission (FTC) alleging that the FTC's application of the Final Rule of the Identity Theft Red Flags Rule (the “RF Rule”) under the Fair and Accurate Credit Transactions Act (FACTA) of 20037 to attorneys exceeds the FTC's statutory authority. 8 The complaint alleged that the FTC's actions in implementing the RF Rule as it has transgress the Administrative Procedure Act, 9 was in violation and should not apply to attorneys. On October 29, 2009, District Judge Reggie Walton of the District of Columbia held that Congress did not intend lawyers to be considered "creditors" under FACTA when he granted a partial summary judgment motion by the ABA in the declaratory judgment action. Under Walton's decision, the RF Rule developed by the FTC to impose the statute's identity-fraud-protection provisions on businesses is inapplicable to lawyers outside the financial sector.

However, on February 25, 2010, the FTC filed an appeal of the judge’s decision upholding the ABA’s position that the RF Rule doesn't apply to lawyers. The case is of import because it would require law firms, if the FTC prevails, to implement anti-fraud measures and it would expand federal power to regulate lawyers which many believe should be left to the states. The FTC has already delayed the deadline five times (beginning in 2008) and most recently again on June 1, 2010. Now the deadline for enforcement of the RF Rule is after Jan. 1, 2011, due to requests from several members of Congress who are working on limiting the scope of the RF Rule.

Although Congress may finally clarify that law firms are not subject to the RF Rule, we as lawyers nevertheless still have an affirmative duty to protect our clients and staff from identity theft. Indeed. If any of our clients or employees becomes victims of identity theft due to our failure to take reasonable steps to protect their sensitive data from fraudsters, we would be subject to liability. So whether or not the FTC or any other Governmental agency will be able to bring an enforcement action against you or your firm regarding the RF Rule, it’s a good idea to implement the rules as they are considered “ reasonable” actions to take to protect staff and clients. Being proactive will help shield us from liability if the worst happens.

The RF Rule sets out how businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The program must include four basic elements, which together create a framework to address the threat of identity theft as follows:

1. Your program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation in your law firm. You and your staff can brainstorm suspicious patterns or practices, or activities, which may indicate identity theft. For example, if a client has to provide some form of identification to retain your firm, a Driver’s License that looks like it might be fake would be a “red flag.” Or if a new client calls pretending to be a friend of someone on your staff and no one knows that person. Or a client may tell you that his information was stolen by someone in your office.
2. Your policies must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.
3. Your policy must clarify what actions you’ll take when you detect red flags. If you believe that a staff member has accessed a file without authority, who will be notified? You may specifically state, for example, if any suspicious identity theft activity occurs, an employee will report immediately to the privacy officer/HR person/attorney in charge/police.
4. You must address how you will re-evaluate your policies periodically to reflect new risks and you must update and train your staff as to the risks and how to respond. You need to log possible privacy and security breaches and address how to prevent them and add to your policies. Staff training is not just handing a document to read, it includes face to face training with live examples of risks and responsibilities.

You must designate a senior level person in charge or a committee to approve your first written program and policies. If you have a small office, the senior attorney should be in charge- and the person with the highest authority should be the person to approve the plan. Your written program must state who is responsible for implementing, administering, training and enforcing the policies. Fortunately, the RF Rule takes into consideration the size of your firm and risks associated with your business practices. So smaller firms will have a more intimate training and enforcement, but it should be as comprehensive as the larger firms that will institute a more formalized program.

Identity Theft Red Flags Protection Program

The following Identity Theft Precautions will help you to create your own Identity Theft Red Flags Protection Program.

Collection, storing, and discarding personal information

Aside from electronic breaches, ID thieves often steal hard copies of client files, employee personnel documents, loan papers, hospital records, bank documents, etc. Thieves can use the information so easily and quickly on the Internet, where vendors and others have no face-to-face interaction. Your impostor can make purchases from the seclusion of his bedroom, establish an e-mail account in your name without any proof of identity; or purchase authentic-looking, governmental documents on line to impersonate you for a variety of reasons. Consider these tips:

• Analyze what information you collect in your office. Don’t collect more than you need. If you don’t need to store it, you won’t have it to lose in a security breach.
• Keep your sensitive records under lock and key

Burglars and unscrupulous employees are more interested in personal identifying information than in jewels or equipment. It’s a wise investment to use locking file cabinets for your confidential documents kept at home and in your office. Put padlocks on doors of closets that contain boxes of old client files, tax returns and financial statements. Utilize alarm systems. Secure briefcases containing private documents with a locking device and alarm in your office and locked car trunk. When using a valet, provide a key that doesn’t open the trunk. For cell phones, electronic devices, laptops, iPads, etc., encrypt all sensitive data.

• Limit Access to those who need to know, and monitor audit trails

At your office set up audit trails and unique passwords for electronic access to sensitive documents. Also monitor off-line audit trails for release of keys to cabinets, storage rooms, and client files. Only allow those with a need to know to access confidential data. Change passwords every six months and whenever an employee leaves his job. Ask visitors to identify themselves and log in. Use biometric keys to access sensitive information and electronic equipment. Don’t allow employees to leave cases on their desks unattended. Make sure electronic files are password protected.

• Shred confidential data at home and at your office

Purchase crosscut shredders for discarding of important papers, pre-approved offers, account statements, and confidential data of all kinds for you, employees and clients. Keep shredders at every desk and at the copier and fax machines.

Use a bonded shredding service that comes to your office and destroys sensitive documents on site. Businesses discarding sensitive documents must completely destroy them. Federal law requires complete destruction of personal information under the Fair Credit Reporting Act (FCRA). 10 The disposal rule above applies to attorneys.

• Secure faxes, printers, computers, and e-mails

Tell all persons who fax to your office or home not to send confidential information in a fax to you unless they call you first to verify the fax number and verify who will receive it and call afterwards to make sure it was received. Use designated faxes and printers for confidential data. When disposing of electronic equipment, computers, copiers, and other electronic equipment, completely erase or destroy the hard drive. Each device that has a computer stores information. Don’t give away or turn in a lease on a copier without erasing the hard drive.

• Set up privacy rules and encryption for offline electronic devices, offsite laptops, and all other electronic devices. Create a sign in and out process; consider using a biometrics entry key.
• Conduct civil and criminal background checks for all employees and vendors with access to sensitive information about staff and clients.

If an impostor steals the identity of your clients or staff, you may be liable for negligent hiring or negligent supervision. Be sure to get the potential employee's prior permission in writing before obtaining a consumer report.

• Limit use of personal identifiers like the SSN for clients and staff

For example, under California law, companies may not do any of the following:

• Post or publicly display SSNs
• Print SSNs on identification cards or badges
• Require people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted
• Require people to log onto a web site using an SSN without a password
• Print SSNs on anything mailed to a customer unless required by law or the document is a form or application.

Never include the SSN or sensitive financial data in public court records. Most state and federal courts restrict the filling of such documents and you could be liable to any victim or may be hit with sanctions for careless handling of sensitive data.

• Use photo business cards, photo ID’s and photo credit cards to authenticate your office
• Make sure you know who your clients are as well as your staff (authenticate them).

Credit Card Care – For Yourself and Your Clients

• Put passwords on all your financial accounts (not your mother’s maiden name).
• Monitor your credit card account and bank statements online several times per month.
• Carefully review all bank statements and financial statements once per week. Make sure to have checks and balances so as not to make embezzlement tempting or easy.
• When accepting credit cards online from clients to pay bills, store only what’s necessary. Don’t keep credit card numbers on file. Shred faxed credit card payments immediately after processing or entering the data into the credit card machine if done manually.

Protecting Financial Transactions

• Use checks only when necessary. You are safer using a credit card than you are using a check. Also, it’s safer to do online banking. Office supply stores sell computer checks. The fraudster can copy your routing and account numbers on new checks and drain your money with the bank just by looking at your check.
• Don’t print your telephone number or full name on your checks
• When you order new checks, have them delivered to your local bank branch, rather than your home or office.
• Back-up and encrypt your financial software
• Online bill pay is safe when you use a secured computer and complex passwords.
• Always initiate online payments from your own account. Don’t provide your account number to all your vendors. Your bank already has your sensitive data.

Protecting Information by Phone

Never allow family or staff to release personal information over a cell phone, a phone, in person, or on the Internet to someone you don’t know who contacts you. If you are asked for information from a stranger who claims to be your bank or the IRS, be polite, get off the phone and call the number listed in the phonebook or online directory yourself to ask for that person or department.

• Check to see who is listening when sharing confidential information on a speakerphone or cell phone. When using a wireless phone in a public place, be careful to speak quietly, and move to a secluded area when speaking about sensitive information.

Secure Your iPhone, Blackberry, and iPad - encrypt confidential information

• If you are transmitting wirelessly, then ensure proper user/device authentication before transmission.
• To protect data in case the device is lost or stolen, utilize user ID and Password level security, and encrypt sensitive data.
• Find out more on how to protect yourself with wireless devices.

Protecting Your Mail and Mailbox

• Don't put checks in the mail from your home or office mailbox and don’t leave them in bins at work.
• Use Alternative Payments such as on-line banking with a 12-character alpha/numeric password.
• Get a post office box or a locked business and residential mailbox.
• Limit pre-approved offers by calling 1888 5 OPT OUT.

Reviewing, Accessing and Correcting Your Credit Reports.

• Order your free credit report from all three major credit reporting agencies (CRAs) at least once a year13
• Limit access to on-line credit reports, and background checks at your office Monitor and restrict to those who have a permissible purpose and strictly monitor retrieval (be cautious of the FCRA.)
• Immediately correct all mistakes / fraud on credit reports in writing, return receipt requested. If you see fraud on your credit profile, place a 90-day fraud alert on your profile (you may write for a seven year fraud alert if you send a police report and identifying information) or consider a credit security freeze to lock up your credit with password protection. In California, identity theft victims are entitled to one free credit report per month for 12 months after the first alert. Victims in other states are entitled to two free reports in the year of victimization.

 Protecting yourself and your office while using your computer

• Set up unique system passwords to get into your computer
• Install hardware and software firewalls and make sure staff use them and update software
• Install, use, and continually update anti-virus and antispyware software. Run live updates
• Set up automatic notices of updates for all programs, and download in a timely manner
• Back up your files daily and encrypt sensitive confidential files
• Don’t share or transmit data about clients without their permission and always encrypt
• Set forth privacy policies with regard to the use of the intranet at home and taking files home either by hard copy or electronically.

Protecting Yourself on the Internet

• Don’t give your password to anyone. The secret to effective password creation of at least eight numbers and letters: Use the first or last letters of each word in a favorite line of poetry that you’ll easily remember. Intersperse these letters with numbers and punctuation marks. Example: “Mary had a little lamb.” M*HA2LL or Y!DAE9B. Upper and lower case can also be varied (M*ha2LL). Change your passwords every six months.
• Don’t register when visiting web sites on the Internet, unless you are sure it’s not a fake site. Don't provide sensitive data.
• Don’t display your personal, family, or your staff’s personal information on the Internet. Think twice before creating your own home personal page, family tree, or photo web site with identifying information about your family. Minimize your business website to business information.
• Shield your staff online – set forth clear rules. Monitor chat rooms and whom they’re “chatting” with in social networking sites. Set forth privacy and security policies.
• Monitor social networking and blogging sites. Set forth policies and procedures and make sure they are followed.
• Be cautious with peer-to-peer file sharing at home and the office (p-2-p) You may associate peer-to-peer file only sharing with sharing music (which is not legal), but people also share all types of sensitive data and other files 
• Don’t trust people you meet online, and use a nickname for your screen name. You may find the love of your life, but you might also run into an evil-minded criminal.
• Make sure you are on the web site of the company that you really think you’re doing business with. Online fraudsters create web site names (URLs) very similar to those of legitimate companies. That’s called Pharming. To check whether the site that you’re on is really the legitimate company.
• Only give out information that’s necessary for the transaction.
• Use disposable forwarding e-mail addresses for chartrooms, purchases, public postings, and social networking.
• Never use a public computer, such as an Internet café, a library, or airport computer to access your sensitive information.
• Keep your e-mail safe by limiting personal information and encrypt sensitive attachments.
• Passwords protect and encrypt confidential attachments for clients and friends.
• Teach your clients not to send sensitive data by emails. WinZip is an easy to use free program and you can teach your clients.
• Search out your name and staff members’ names on the Web to find what information is circulating on the Internet.
• Don’t get hooked by a "phishing" or vishing expedition. Never respond to e-mail or voicemail asking for sensitive information.
• Advise family, staff and your clients not to put confidential or controversial information in e-mail. Use encryption software to protect anything sensitive.
• Visit an Internet safety organization such as Cyber Angels to protect your identity or the Federal Trade Commission for additional precautions.

Other Protective Privacy Measures

• Use tamperproof mailers when sending sensitive information.
• Verify that your clients, staff and vendors are who they say they are. Authenticate.
• Conduct privacy and identity theft protection audits of your on-line and off-line environment at home and at your office. Consider an outside audit by privacy professional.
• Designate a staff member to be in charge of Privacy and Identity theft protections This staff member usually works with your IT or security consultant, but has a unique role. Security considers the systems, but privacy considers the individual. You need to designate one person to implement privacy policies, analyze vulnerabilities, coordinate with the technology professionals, train staff, evaluate and adjust in accordance with new state and federal laws.
• Implement Privacy and Identity Theft Policies on the Web and in your brochures. The Online Privacy Protection Act of 2003 requires operators of commercial web sites or online services that collect personal information on California residents through a web site, to conspicuously post and comply with its privacy policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information.
• Train your family and your staff as to best practices for privacy and identity theft protection. Keep apprised of current privacy and identity theft laws. 

As a lawyer, you must collect and utilize very private, confidential information about your clients and your employees. You have a duty to guard your clients' and staff’s privacy and identity in your office and in the public courts. This daunting challenge presents legal questions, security risks, and litigation exposure. Take the opportunity to analyze and enhance your information management practices and create a proactive approach to data privacy and security. Whether or not you will be subject to the Red Flag Rule, institute a policy that is based on the model program. You'll boost client trust and goodwill, and increase profits. Implement the suggestions in this article to augment your privacy environment to protect your firm and safeguard your clients’ and staff’s identity.