Three recent SEC settlement orders serve as a reminder that firms must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft. The settlements resolve SEC enforcement proceedings, alleging deficiencies in identity theft red flag programs, against J.P. Morgan Securities LLC, TradeStation Securities, Inc., and UBS Financial Services Inc. This article explores the relevant requirements of Regulation S‑ID – the Identity Theft Red Flag Rules – and Rule 201 thereunder, the programs’ alleged shortcomings that gave rise to the enforcement proceedings and the terms of the settlement orders, with additional insights from Jason Elmer, founder and CEO of Drawbridge Partners. See our two-part series on digital identity management in a post-pandemic world: “A Framework for Identity-Centric Cybersecurity
” (Mar. 24, 2021); “SolarWinds, Zero Trust and the Challenges Ahead
” (Mar. 17, 2021).