The question now is whether organizations covered by the Red Flags Rule will be prepared to comply with the new regulations when the latest implementation deadline arrives.

Organizations must implement programs to protect themselves and their customers from breaches of data security.

According to a study by Javelin Strategy & Research, in 2007, 8.1 million Americans were victimized by identity fraud, and the attacks continue today. Ponemon Institute's fourth annual “U.S. Cost of a Data Breach Study” indicates that the highest-impact security incidents often originate from within organizations.

Nine out of every 10 risk managers may be aware of the importance of digital security. In one high-profile instance, a major retail company experienced a massive security breach, which jeopardized 45.7 million credit and debit cards. The breach occurred after a hacker reportedly gained access to customers' credit card data and drivers' license information.

While many risk managers may focus on digital security practices, some may make million-dollar mistakes by overlooking the importance of keeping confidential paper documents secure.

For instance, confidential information on a single document recently cost a large nonprofit association in Washington, D.C. more than $100,000. The breach occurred when a document containing confidential employee life insurance information was hand-delivered to the organization's broker, and the broker's temporary employee proceeded to steal and sell the information.

The case resulted in the theft of several employees' personal information and severe costs in legal fees and reputation for the organization.

How should risk managers prepare for the Red Flags Rule?

The first step risk management professionals should take to help their organizations assure compliance is to conduct a loss control assessment.

By performing a focused evaluation of their company's operational risks, the risk manager can identify common breach points in the major functions of the organization. Once these risks are identified, the risk manager can begin developing a comprehensive plan to ensure the organization is secure.

The Red Flags Rule applies to state or national banks, savings and loan associations, mutual savings banks, credit unions, and any other individuals or organizations that, directly or indirectly, hold a “transaction account.”

Organizations covered by the Red Flags Rule must be prepared to comply with the new standards to avoid costly fines, regulatory enforcement actions and the risk of customer identity theft.

Risk managers can help organizations achieve compliance by enforcing security measures, such as using an outsourced information destruction provider and ensuring all confidential documents are disposed of properly.

Timely and frequent document destruction is an excellent preventive measure to help mitigate identity theft, by significantly reducing the risks of sensitive documents falling into the wrong hands.

Additionally, shredding all confidential waste paper into unrecognizable confetti which can be recycled into new paper products reduces the negative environmental impact of the organization.

Colette Raymond is executive vice president of operations at Shred-it North America, based in Toronto, Canada. For more information, visit www.shredit.com.