Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Privacy Government News

FTC Backs Off Red Flag Rules Again 43

coondoggie writes to tell us that the Federal Trade Commission has yet again backed off of the new Red Flag Rule designed to protect consumer information. Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft-prevention programs. "The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said."
This discussion has been archived. No new comments can be posted.

FTC Backs Off Red Flag Rules Again

Comments Filter:
  • by Anonymous Coward

    But someone who was able to steal their did.

  • Honestly, I don't mind them delaying it a bit. It's not like they weakened it; they'll get there eventually
  • by SirGarlon ( 845873 ) on Friday May 01, 2009 @02:57PM (#27791909)

    A survey done by the MedPage today of 100 hospitals found that they would have to spend over $10,000 to comply with the Red Flag Rule.

    In comparison with the operating budget of a typical hospital, I hardly think $10,000 is a major expense. They probably spend more than that waxing the floors every year.

    What's the average cost incurred by a single victim of identity fraud? Last I heard it was over $5k. So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

    • by Jane Q. Public ( 1010737 ) on Friday May 01, 2009 @03:31PM (#27792341)
      serious case of identity theft could cost a single one of their "customers" more than $10,000 I think it is reasonable to expect them to do it.
    • Re: (Score:3, Interesting)

      by Red Flayer ( 890720 )

      What's the average cost incurred by a single victim of identity fraud? Last I heard it was over $5k. So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

      Do you have any figures on how many IDs are stolen from hospital databases?

      Let's complete the math here, since you started the problem but never finished it.

      IF the average hospital's info insecurity (ha) policy results in an average of 2 stolen identities per year, th

      • One of the bad assumptions in this chain of logic is that the poor schmuck who had their identity stolen can get their $5k (or whatever...) in losses back from the hospital.

        A more likely scenario is they either eat the cost or they get a lawyer and spend $$$ to have their lawyer whomped by the hospital's much larger legal department and then end up eating the lawyer fees on top of the initial losses.
        • Re: (Score:3, Interesting)

          by Red Flayer ( 890720 )
          I agree, there's additional cost to be considered... but I had included the parenthetical about net societal costs for that reason.

          The total cost of identity theft is equal to the sum of compliance costs plus the sum of costs from identity theft occurrences. Determining the net cost/benefit of a mandatory compliance regulation is tough, because it's hard to quantify how much compliance reduces risk.

          It's possible that the $10,000 a hospital would spend on this would have no preventative effect, in which c
    • by Lumpy ( 12016 ) on Friday May 01, 2009 @04:37PM (#27793035) Homepage

      So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

      When was the last time you were in the hospital or had to deal with one? Hospitals are DESIGNED to rob people blind. My wife had a 2 day stay and she brought her own meds. the Hospital tried to charge us for them because the nurse gave them to her. It was only an extra $190.00 per day charge. Oh they charged us $80.00 for that paper gown as well that she wore. as well as aniother $60.00 for the cleaning crew to come in and mop her floor. Then they walked out leaving dirty footprints all over it.
      I am certian that If I complainedt othem about taking it up the arse, they would add a line item charge for lube

      • by sortius_nod ( 1080919 ) on Friday May 01, 2009 @06:28PM (#27794089) Homepage

        That's exactly why I hate this whole idea of a user pays society.

        There are some things that are needed to be part of the government system... health, education, and welfare.

        Example, here in Australia, we have free(ish) health. On Good Friday I awoke with intense abdominal pains so I went to hospital. Sure, I spent about 1.5-2hrs waiting to be seen, but once I was seen I had a bed, a doctor and a nurse. I was doped up on morphine, had a saline drip to got to watch TV while they did my blood & urine tests. All up I was in the bed for about 6hrs.

        All this cost me a grand total of: $0

        • Re: (Score:1, Flamebait)

          by bencoder ( 1197139 )

          All this cost me a grand total of: $0

          +17% of your taxes source [budget.gov.au]

          Guestimating your yearly tax to be $6000, that's about $1000 per year.

          How often do you go to hospital?

          I'm actually British and we have socialised health care too, but I don't appreciate it, and it bothers me when people claim it's free.

          • Guestimating your yearly tax to be $6000, that's about $1000 per year.

            Given that I pay $200/month for health insurance (in the U.S.) and my employer pays another $400, I would say he's getting quite a bargain -- especially considering the currency exchange rate.

        • Here in America you would have had to wait at least that long to be seen. I don't go to the hospital very often, but I have never had less than a 1.5 hour wait when doing so. In fact, the one time I actually came in on an ambulance strapped to one of those boards (car accident) I waited 8 hours before before being seen by a doctor.

          That whole thing about longer waits in single payer systems is big load of crap.

          • You obviously don't know what the waits are about then.

            It isn't for emergency care or to just be seen. It's about once your seen and the doctor says you need to see X specialist or your need Y procedure. Even an MRI in Canada can take over 4 months at times to get if it wasn't done on an emergency basis. Getting to that point seems to be simple in both systems. What comes after that is so bad on government health systems that it has sparked a medical tourism industry where 10% or better of the people covere

            • In the US we pay the most per capita for medical services and have the lowest percentage of population with medical coverage of any industrial nation.

              In the US, you get to pay an insurance company for the privilege of being thrown down a hole hoping to increase the profits for said company by your eventual death instead of providing the care needed to save your life or stabilize your quality of life so you can get back to normal.

              In the US, the bureaucrat sitting 2000 miles away claiming your taken care of w

              • n the US we pay the most per capita for medical services and have the lowest percentage of population with medical coverage of any industrial nation.

                Apples and Oranges. That's not neccesarily true when all the realities are taken into consideration. In the US, elective cosmetic surgery is added to the per capital spending where in comparison, other countries aren't unless it's specifically covered by the national health plan. Add to that the lower quality of treatments and the refusal of treatment like th

  • by glennpratt ( 1230636 ) on Friday May 01, 2009 @03:02PM (#27791975) Homepage

    Free, instant access to any credit bureau.

    It's ridiculous the information they can store about me and then turn around and charge ME to look at it more than once a year. And my credit score, that should be free for me to view as well.

    I've already had two mistakes on my credit and I'm 25 (1 identity theft and 1 Verizon decided I didn't return FiOS equipment - of course I didn't return it, it's still in use!).

    Making this information free and accessible would be a start.

    • Free, instant access to any credit bureau.

      It's ridiculous the information they can store about me and then turn around and charge ME to look at it more than once a year. And my credit score, that should be free for me to view as well.

      This has its own problems: if you've got unlimited access to your credit report, anyone else who wants to see it (say, the bank you're applying to for the loan) will ask you to provide it rather than paying the credit bureau. At this point, their business model collapses.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Well, then perhaps it should. If the credit card companies have such a hard-on for this information anyway, let them fund these organizations.

      • by Zerth ( 26112 )

        Or charge to add information to theirs records?

        • That would kill the business even faster. Providing information to a credit bureau is of absolutely no value to the provider, so why should they pay?

  • by mpapet ( 761907 ) on Friday May 01, 2009 @03:05PM (#27792015) Homepage

    They are separate and generally speaking do not follow the same rules.

    For example, Bank of America and Chase would not be required to follow these rules.

    The 'backing off' doesn't surprise me one bit as the NCUA is probably in as much trouble as the FDIC with failed credit unions, and lack of funds to protect depositors.

    http://www.cutimes.com/Pages/News.aspx [cutimes.com]

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Actually, they do follow the same rules; FFIEC sets the information security guidelines for both.

      The big difference is how the groups are audited. Banks deal with more (and stricter) regulatory bodies.

      I audit both groups and have found that most have already addressed red flag rules (if they are not already compliant).

      Red Flag rules aren't tough for financial institutions because the rules overlap with previous requirements. It's the other groups that are having trouble.

      The hospitals I audit do not have the

  • by Silentknyght ( 1042778 ) on Friday May 01, 2009 @03:08PM (#27792063)

    Though the article summary touts the Red Flag Rule(s) as something that is designed to protect consumer information, I have serious doubts as to the efficacy of such a system.

    As stated in the article, it's just a system/rule to force banks/creditors/etc. to identify any suspicious activity (i.e. red flags) in their accounts. It doesn't seem to mention anything about any liability or culpability for false positives or worse--completely missing identity theft in action. That said, I still can't believe (provided the inforamtion is true) that companies continue to balk at this. The sums mentioned in the article--$10,000 to comply--are chump change, even if it's a repeated annual expenditure.

  • by gcatullus ( 810326 ) on Friday May 01, 2009 @03:21PM (#27792215)

    The so called red flag rules are an added cost to small businesses and don't really do that much to help prevent identity theft. They apply to anyone who sells a product on any terms other than cash or credit card. This includes your local home heating oil dealer, local appliance store that might offer you a payment plan right down to a bar that lets you keep a tab until pay day.

    You can nominally comply with these rules by downloading a template over the internet and designating a person to "review" red flags. They are overly broad, and treat businesses that keep customer records on index cards in a file cabinet the same as the bank that holds your mortgage.

    These rules are much like PCI compliance. They sound impressive, but mean very little. Heck RBS Worldpay/Lynk is still processing credit cards but they lost their PCI compliance, after suffering a data breach jeopardizing 1.5 million payroll cards and at least 1.1 million Social Security numbers.

    PCI and red flag rules foist the onus of data protection onto small merchants, while the monopolists who benefit from Visa/Mastercard transactions don't have to change anything.

    Visa/Mastercard should be tasked with making the whole system more secure. Forcing the burden of data protection in a broken system onto small merchants is like blaming the depositors in a bank when it gets robbed.

    • If you want to store customer financial data then you need to not only protect it, but be able to verify that you are protecting it. Hence the rules. If your business cannot afford to follow the rules, you can't afford to collect the data. I'd rather put a few sloppy businesses out of business than allow identity theft to be as easy as it currently is.

      And yes, strict data security rules need to be forced on Visa/Mastercard as well as small businesses. The only thing that surprises me about credit card fraud

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        If you want to store customer financial data then you need to not only protect it, but be able to verify that you are protecting it. Hence the rules.

        "The rules" do jack shit. You want to "verify" that I'm protecting a credit card number? Give me a fucking public key so I can encrypt it so that anyone stealing it from my site can't use it elsewhere and neither can any internal rogues.

        Bonus points if I include my own merchant account number so that the encrypted version can't be submitted by another merchan

      • These rules PCI and red flag rules don't just harm the sloppy businesses, they just add more cost to the guys who are trying to do it right already. The sloppy guys aren't going to anything different.

        As I said, you can just pay lip service to the red flag rules and you are compliant. A full PCI audit only covers you for that exact moment. Change out a switch or swap a PIN pad and you aren't PCI compliant anymore.

        As the below anon says - fix the system with public key encryption. Don't make up rules that sou

  • Probably useless... (Score:4, Interesting)

    by UncleTogie ( 1004853 ) on Friday May 01, 2009 @03:31PM (#27792327) Homepage Journal

    I've got my doubts about what this will accomplish.

    As a point-of-sale vendor, we ran across this recently. Some bozo was slinging stolen cards at some of our clients, and we TRIED to report it. No calls back, no interest from the local PD, the FBI, the FTC, or even the Secret Service. It just wasn't big enough to make their radar and assign manpower to it.... even after 2 grand in fake charges.

    I'd like to see them do more when people with all the evidence they would want call them, rather than implement a new program that will drain even more manpower from enforcement.

    • by jonwil ( 467024 )

      If I was to walk into a bank and rob it and walk out with $600, it would be headline news with a big police man-hunt and I would go to pound me in the ass prison for a long time

      But if I was to hack into the computers at the same bank and steal $600,000, it would likely be hushed up by the bank with the only indication that it happened being a "misc expenses" line item in the next annual report or so. And no-one would bother spending any resources trying to catch me.

  • The Red Flag rule had the effect of requiring any company that provided product or services before payment was billed, had to comply with non-trivial requirements for protection, detection and reporting. If the lawn mowing service billed you, they had to meet Red Flag rules.
  • Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft prevention programs.

    I hate it when enforcement dates start complaining on their own.

    I hate it almost as much as when participles start dangling right in the middle of sentences, in full view of children.

  • I highly recommend this blog post by Steven Bearak of Identity Force calling for businesses to comply with the Red Flags Rule and to protect people from identity theft and data breaches (http://www.idtheftdailynews.com)

    Red Flags Rule: It is time to do the right thing.

    On April 30, less than a day before the Federal Trade Commission (FTC) was to begin enforcing the Red Flags Rules, the agency extended the deadline for compliance for the second time, until August 1. The 11th hour reprieve by the FTC refle

If you have a procedure with 10 parameters, you probably missed some.

Working...