Claire Rosenzweig, president and CEO of the metropolitan New York chapter of the Better Business Bureau (BBB), said that businesses are eager to fight identity theft as part of their Corporate Social Responsibility (CSR) efforts, but prefer self-regulation to the other kind.

Most businesses said they found it easy to comply. "It fit naturally within our compliance organization," said Orrie Dinstein, chief privacy leader and senior IP counsel at GE Capital, the finance arm of General Electric. "We're a very compliance-driven company. Other companies may have a different culture."

Employees of SUNY were surprised to be subject to the rule and implementing it was quite complex. SUNY's Gilbertson explained that SUNY is a very diverse institution.

"We have 64 campuses, and in addition to education, we do things like health care," he said. "We have large research operations like Stonybrook, technical colleges, Liberal Arts schools like Alfred, community colleges, and hospitals," said Gilbertson.

SUNY has one board, not 64, but the board was not accustomed to handling the day-to-day details of the operations of the various campuses. The board wrote general guidelines and then each institution provided more specific guidelines as appropriate, with input from Gilbertson's team.

"We went around to the various campuses. We went to representative campuses, not to all 64, and provided a template with cut and paste language. We put in mostly things that we're already doing, but we did get people talking to each other who weren't before and should have been and are talking now."

Education and communication is one of the benefits of the rule. "It's an opportunity for training," said Laura Dishman, privacy and AML associate for law and compliance at educational savings firm TIAA-CREF.

"Once you get people past the point of being upset about having to do something that they didn't do before, they realize that there's not much to change," she added.

Since the act only requires "reasonable precautions" many of the institutions that complain about being targeted by the act won't find compliance burdensome because their accounts will be classified as low risk.

While TIAA-CREF has to keep a close eye on activity in people's retirement accounts, from which identity thieves could withdraw cash, GE Capital can protect copier leasing plans with a lower level of security as identity thieves could only use the accounts to order office equipment. GE's Dinstein added that thieves could use the accounts to make payments for other people's equipment, but GE saw that as an unlikely eventuality.

Some at the event complained to the FTC that while it treats businesses reasonably, it provides no protection to consumers. "The consumer cannot sue a business for having or not having red flags," said the FTC's George.

"Consumers may complain to the FTC, but there will not necessarily be any investigation," she added.

The rule is jointly enforced by the FTC and by various financial industry regulators. George said that if the FTC receives a complaint about an institution over which it does not have jurisdiction, the FTC could pass that complaint on to the correct regulator.

Article courtesy of