Privacy Issues in the Workplace

2) Suspicious documents (for example, documents provided for identification that appear to be forged); 3) Suspicious personally identifying information (for example a suspicious address, or a social security number has not been provided, or is listed on the SSA’s Death Master File); 4) Unusual use of – or suspicious activity relating to – a covered account (for example, a material change in purchasing or spending); and 5) Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts. c. Drafting The ITPP The ITPP must include the following four basic elements for detecting, preventing, and mitigating identity theft and enable a creditor to: 1) Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; 2) Detect red flags that have been incorporated into the Program; 3) Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and 4) Ensure the ITPP is updated periodically to reflect changes in risks from identity theft. There are also certain steps that a creditor must take to administer the ITPP: obtaining approval of the initial written ITPP by the board of directors, or if none, then by an appointed senior manager/employee of the creditor; ensuring oversight of the development, implementation and administration of the ITPP; training staff on the ITPP; and overseeing service provider arrangements. 2. S ECTION 315 OF THE FACT A CT Section 315 of the Act also requires issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account (this will not typically apply to public agencies). In addition, Section 315 amended Section 605 of the FCRA, 15 USC 1681(c), by adding a new subsection (h). Section 605(h)(1) requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency (i.e., when an address provided by a consumer “substantially differs” from the one the credit reporting agency has on file). Public agencies may be users of consumer reports (for example, when conducting background checks), so they should have a policy in place to (1) enable the employer to form a reasonable belief that the employer knows the identity of the person for whom it has obtained a consumer report, and (2) reconcile the address of the consumer with the credit reporting agency, if the employer establishes as continuing relationship with the consumer and regularly, and in the course of business furnishes information to the credit reporting agency.

Privacy Issues in the Workplace ©2019 (s) Liebert Cassidy Whitmore 122