FTC Backs Off Red Flag Rules Again

coondoggie writes to tell us that the Federal Trade Commission has yet again backed off of the new Red Flag Rule designed to protect consumer information. Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft-prevention programs. "The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said."

Actually, the FTC didn't

But someone who was able to steal their did.

Re:Actually, the FTC didn't

Someone stole my "identity" right out my comment, too.

Re:Actually, the FTC didn't

Dam! They did it again....

Re:Actually, the FTC didn't

[Aranykai]

Ah, you accidentally the whole first post?

Re:Actually, the FTC didn't

He accidentally deleted the whole first.

Well..

[CSFFlame]

Honestly, I don't mind them delaying it a bit. It's not like they weakened it; they'll get there eventually

Re:Well..

[SEWilco]

Some delay is good. It's the worst Capture the Flag server ever.

Costs too much, huh?

[SirGarlon]

A survey done by the MedPage today of 100 hospitals found that they would have to spend over $10,000 to comply with the Red Flag Rule.

In comparison with the operating budget of a typical hospital, I hardly think $10,000 is a major expense. They probably spend more than that waxing the floors every year.

What's the average cost incurred by a single victim of identity fraud? Last I heard it was over $5k. So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

Re:Costs too much, huh?

[Red+Flayer]

What's the average cost incurred by a single victim of identity fraud? Last I heard it was over $5k. So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

Do you have any figures on how many IDs are stolen from hospital databases?

Let's complete the math here, since you started the problem but never finished it.

IF the average hospital's info insecurity (ha) policy results in an average of 2 stolen identities per year, then it would be worth $10k to protect the data assuming damages of $5k/lost ID. Worthwhile from a societal standpoint, anyway, in terms of absolute costs.

Now let's look at some other factors... that $10,000 needs to be paid for. Let's say the average hospital handles 10k patients per year, just to make the math easy. That's $1 per visit to pay for the coverage. How about adding a $1 "information security fee" to every hospital bill? Or should this be paid by the insurance companies, in which case we can add another $1 to the cost for collection and administration expenses on that $1.

At any rate, before you can even BEGIN to make a societal cost benefit analysis of implementing this, you've got to figure out how much the current hospital systems cost us in terms of escaped IDs.

Sure, $10k doesn't seem like much out of a hospital budget... but then add $10k for this compliance issue, $10k for this other one, and pretty soon you're talking about the need to cut staff in order to pay to meet regulatory requirements. This is how institutional budgets get out of hand... one "small" line item at a time.

Re:Costs too much, huh?

[Gription]

One of the bad assumptions in this chain of logic is that the poor schmuck who had their identity stolen can get their $5k (or whatever...) in losses back from the hospital.

A more likely scenario is they either eat the cost or they get a lawyer and spend $$$ to have their lawyer whomped by the hospital's much larger legal department and then end up eating the lawyer fees on top of the initial losses.

Re:Costs too much, huh?

[Red+Flayer]

I agree, there's additional cost to be considered... but I had included the parenthetical about net societal costs for that reason.

The total cost of identity theft is equal to the sum of compliance costs plus the sum of costs from identity theft occurrences. Determining the net cost/benefit of a mandatory compliance regulation is tough, because it's hard to quantify how much compliance reduces risk.

It's possible that the $10,000 a hospital would spend on this would have no preventative effect, in which case they shouldn't spend the money. It's possible there's a 1:1 return on money invested in compliance, or greater. Without knowing the relationship between compliance spending and reduction of risk, we've no way of figuring out whether it's worthwhile.

Re:Costs too much, huh?

[Lumpy]

So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

When was the last time you were in the hospital or had to deal with one? Hospitals are DESIGNED to rob people blind. My wife had a 2 day stay and she brought her own meds. the Hospital tried to charge us for them because the nurse gave them to her. It was only an extra $190.00 per day charge. Oh they charged us $80.00 for that paper gown as well that she wore. as well as aniother $60.00 for the cleaning crew to come in and mop her floor. Then they walked out leaving dirty footprints all over it.
I am certian that If I complainedt othem about taking it up the arse, they would add a line item charge for lube

Re:Costs too much, huh?

[sortius_nod]

That's exactly why I hate this whole idea of a user pays society.

There are some things that are needed to be part of the government system... health, education, and welfare.

Example, here in Australia, we have free(ish) health. On Good Friday I awoke with intense abdominal pains so I went to hospital. Sure, I spent about 1.5-2hrs waiting to be seen, but once I was seen I had a bed, a doctor and a nurse. I was doped up on morphine, had a saline drip to got to watch TV while they did my blood & urine tests. All up I was in the bed for about 6hrs.

All this cost me a grand total of: $0

Re:Costs too much, huh?

[bencoder]

All this cost me a grand total of: $0

+17% of your taxes source

Guestimating your yearly tax to be $6000, that's about $1000 per year.

How often do you go to hospital?

I'm actually British and we have socialised health care too, but I don't appreciate it, and it bothers me when people claim it's free.

Re:Costs too much, huh?

[MrResistor]

Here in America you would have had to wait at least that long to be seen. I don't go to the hospital very often, but I have never had less than a 1.5 hour wait when doing so. In fact, the one time I actually came in on an ambulance strapped to one of those boards (car accident) I waited 8 hours before before being seen by a doctor.

That whole thing about longer waits in single payer systems is big load of crap.

Re:Costs too much, huh?

[sumdumass]

You obviously don't know what the waits are about then.

It isn't for emergency care or to just be seen. It's about once your seen and the doctor says you need to see X specialist or your need Y procedure. Even an MRI in Canada can take over 4 months at times to get if it wasn't done on an emergency basis. Getting to that point seems to be simple in both systems. What comes after that is so bad on government health systems that it has sparked a medical tourism industry where 10% or better of the people covered in some/most of these government health systems attempt to find user pays medical coverage in other countries.

I can't find my link now, but the specific one I'm looking for (and your google fingers will work just as well) stated the above and referenced Germany who was spending massive amounts of money attempting to get their quality of care to be on par with the US's to attract a portion of Europe's medical tourism the currently goes to India and Japan. It stated that Canada's people go to the US and Mexico by and large and even referenced the "Wait Insurance" being sold in Canada to it's people (with a massive outcry of the Canadian governments) where private citizens are paying for health insurance to guarantee medical access within a reasonable amount of time even if they have to leave their province or country to get it. In 2006 or so, the Canadian supreme court in the Chaoulli decision ruled that Quebec's health care systems laws violated the rights to life, liberty, and security of person with Seven of seven judges ruled that patients experienced physical and psychological suffering", and all ruled that the system imposed the risk of death and irreparable harm to patients waiting for care. Look at statement number eight in this PDF for a little more on that. You should be able to find better sources from that. And yes, that was an industry piece.

Are there waits in the US too? Sure there is when you can't pay or skimped out and purchased a cheap insurance policy. But in the US, the government doesn't tell you not to make provisions on your own then throw you down a hole hoping to save the costs by your eventual death instead of providing the care needed to save your life or stabilize your quality of life so you can get back to normal. In the US, that's all up to you to "choose" to do, not some bureaucrats sitting 2000 miles away claiming your taken care of when your not. Of you belay the new car, sit back from the toys, you can most likely afford your own health care, but you get to choose how good or bad your coverage is and you get to have some say in how much or little you can pay verses spending the funding on a new big Screen TV so you can see the zits on Brittany's face when she checks in/out of rehab again.

Re:Costs too much, huh?

[MrResistor]

In the US we pay the most per capita for medical services and have the lowest percentage of population with medical coverage of any industrial nation.

In the US, you get to pay an insurance company for the privilege of being thrown down a hole hoping to increase the profits for said company by your eventual death instead of providing the care needed to save your life or stabilize your quality of life so you can get back to normal.

In the US, the bureaucrat sitting 2000 miles away claiming your taken care of when you're not is called an "insurance agent".

And no, private health insurance is not affordable to the vast majority of US residents who are not currently covered. These are not people blowing their money on new cars and big screen TVs, these are people who are already having a hard time paying for necessities even though they may be working full time or more. Furthermore, the need for employers to subsidize health care is a significant drag on US companies' ability to compete globally.

The PDF you linked says pretty directly that the problem in Canada is a shortage of doctors, beds, and private sector competition. It also says that countries offering universal care but also having a vibrant private sector don't suffer from the long wait problems Canada does.

And finally, there are plenty of Americans who go shopping internationally for medical services as well. In fact, many of them go to Canada.

Re:Costs too much, huh?

[sumdumass]

n the US we pay the most per capita for medical services and have the lowest percentage of population with medical coverage of any industrial nation.

Apples and Oranges. That's not neccesarily true when all the realities are taken into consideration. In the US, elective cosmetic surgery is added to the per capital spending where in comparison, other countries aren't unless it's specifically covered by the national health plan. Add to that the lower quality of treatments and the refusal of treatment like the elderly get in England and Europe, and you will see the spending is very similar.

In the US, you get to pay an insurance company for the privilege of being thrown down a hole hoping to increase the profits for said company by your eventual death instead of providing the care needed to save your life or stabilize your quality of life so you can get back to normal.

If that your choice, then it is _YOUR_CHOICE. It isn't the government's choice or your neighbors choice and the only time the choices over your own health should be taken from you is when an emergency exists and you aren't able to communicate or comprehend those choices. And no, Not all insurance is like that, not even remotely all. However, I do see your need to vilify insurance companies blindly in order to support your position.

In the US, the bureaucrat sitting 2000 miles away claiming your taken care of when you're not is called an "insurance agent".

And the difference here is that you can drop that insurance agent and get another at will or any time. Liberty is about you having the power to control your own destiny and you deciding your own situation. The very thought of forcing me to pay for government health and taking my choices away or even my option to make those choices goes against the very grain this country was founded on. You can pick and chose which insurance agent you want or what policies you want to purchase. You can't do that with a politician in charge looking for contributions and you cannot make changes to your coverage without convincing millions of other people to do the same. Why you seem to think that giving up your freedom and choices is a good thing, I will never know. But I think I can comfortably assume your leaning towards the idea of someone else paying for your medical coverage so you can buy another big screen TV or something. Well, think about it, you will be taxed more and not be able to buy new shiny things and you will not have the ability to decide what type of coverage you want/need nor will you be able to skimp on certain things to afford others.

And no, private health insurance is not affordable to the vast majority of US residents who are not currently covered. These are not people blowing their money on new cars and big screen TVs, these are people who are already having a hard time paying for necessities even though they may be working full time or more. Furthermore, the need for employers to subsidize health care is a significant drag on US companies' ability to compete globally.

Actually, private health insurance is affordable to the vast majority of people. There is a small group of people who aren't already eligible or covered by government health and cannot legitimately afford health insurance. The majority of people claiming not to be able to afford it cannot do so because of life style choices.

BTW, there is no need for employers to subsidize health coverage. That's something they do to attract certain employees and to help keep them productive. If they weren't paying for the employer portion of insurance policies, they would be paying more in taxes to cover government health and more in wages to still attract those same types of people. The only drag you are seeing is a fictional one made up entirely to support a non-existent point.

The PDF you link

Re:Costs too much, huh?

[SirGarlon]

Guestimating your yearly tax to be $6000, that's about $1000 per year.

Given that I pay $200/month for health insurance (in the U.S.) and my employer pays another $400, I would say he's getting quite a bargain -- especially considering the currency exchange rate.

What I really want!

[glennpratt]

Free, instant access to any credit bureau.

It's ridiculous the information they can store about me and then turn around and charge ME to look at it more than once a year. And my credit score, that should be free for me to view as well.

I've already had two mistakes on my credit and I'm 25 (1 identity theft and 1 Verizon decided I didn't return FiOS equipment - of course I didn't return it, it's still in use!).

Making this information free and accessible would be a start.

Re:What I really want!

[Carnildo]

Free, instant access to any credit bureau.

It's ridiculous the information they can store about me and then turn around and charge ME to look at it more than once a year. And my credit score, that should be free for me to view as well.

This has its own problems: if you've got unlimited access to your credit report, anyone else who wants to see it (say, the bank you're applying to for the loan) will ask you to provide it rather than paying the credit bureau. At this point, their business model collapses.

Re:What I really want!

Well, then perhaps it should. If the credit card companies have such a hard-on for this information anyway, let them fund these organizations.

Re:What I really want!

[Zerth]

Or charge to add information to theirs records?

Re:What I really want!

[Carnildo]

That would kill the business even faster. Providing information to a credit bureau is of absolutely no value to the provider, so why should they pay?

Don't Confuse Banks and Credit Unions

[mpapet]

They are separate and generally speaking do not follow the same rules.

For example, Bank of America and Chase would not be required to follow these rules.

The 'backing off' doesn't surprise me one bit as the NCUA is probably in as much trouble as the FDIC with failed credit unions, and lack of funds to protect depositors.

http://www.cutimes.com/Pages/News.aspx

Re:Don't Confuse Banks and Credit Unions

Actually, they do follow the same rules; FFIEC sets the information security guidelines for both.

The big difference is how the groups are audited. Banks deal with more (and stricter) regulatory bodies.

I audit both groups and have found that most have already addressed red flag rules (if they are not already compliant).

Red Flag rules aren't tough for financial institutions because the rules overlap with previous requirements. It's the other groups that are having trouble.

The hospitals I audit do not have the culture yet for information security and that starts at the top with the doctors.

Red Flag Rule = Guessing Game

[Silentknyght]

Though the article summary touts the Red Flag Rule(s) as something that is designed to protect consumer information, I have serious doubts as to the efficacy of such a system.

As stated in the article, it's just a system/rule to force banks/creditors/etc. to identify any suspicious activity (i.e. red flags) in their accounts. It doesn't seem to mention anything about any liability or culpability for false positives or worse--completely missing identity theft in action. That said, I still can't believe (provided the inforamtion is true) that companies continue to balk at this. The sums mentioned in the article--$10,000 to comply--are chump change, even if it's a repeated annual expenditure.

Much Ado About Nothing

[gcatullus]

The so called red flag rules are an added cost to small businesses and don't really do that much to help prevent identity theft. They apply to anyone who sells a product on any terms other than cash or credit card. This includes your local home heating oil dealer, local appliance store that might offer you a payment plan right down to a bar that lets you keep a tab until pay day.

You can nominally comply with these rules by downloading a template over the internet and designating a person to "review" red flags. They are overly broad, and treat businesses that keep customer records on index cards in a file cabinet the same as the bank that holds your mortgage.

These rules are much like PCI compliance. They sound impressive, but mean very little. Heck RBS Worldpay/Lynk is still processing credit cards but they lost their PCI compliance, after suffering a data breach jeopardizing 1.5 million payroll cards and at least 1.1 million Social Security numbers.

PCI and red flag rules foist the onus of data protection onto small merchants, while the monopolists who benefit from Visa/Mastercard transactions don't have to change anything.

Visa/Mastercard should be tasked with making the whole system more secure. Forcing the burden of data protection in a broken system onto small merchants is like blaming the depositors in a bank when it gets robbed.

Re:Much Ado About Nothing

[pete6677]

If you want to store customer financial data then you need to not only protect it, but be able to verify that you are protecting it. Hence the rules. If your business cannot afford to follow the rules, you can't afford to collect the data. I'd rather put a few sloppy businesses out of business than allow identity theft to be as easy as it currently is.

And yes, strict data security rules need to be forced on Visa/Mastercard as well as small businesses. The only thing that surprises me about credit card fraud is that there isn't more of it going on.

Re:Much Ado About Nothing

If you want to store customer financial data then you need to not only protect it, but be able to verify that you are protecting it. Hence the rules.

"The rules" do jack shit. You want to "verify" that I'm protecting a credit card number? Give me a fucking public key so I can encrypt it so that anyone stealing it from my site can't use it elsewhere and neither can any internal rogues.

Bonus points if I include my own merchant account number so that the encrypted version can't be submitted by another merchant account.

Triple word score if I get to add the amount I'm charging in there, so that I can run monthly subscription charges without anyone claiming I can go in and charge whatever I feel like and then run for the hills.

Frankly, I'd rather not touch the stuff, but the credit card processors have the world by the balls and they've got no interest in fixing anything as long as they can force the merchants to swallow the losses.

Re:Much Ado About Nothing

[gcatullus]

These rules PCI and red flag rules don't just harm the sloppy businesses, they just add more cost to the guys who are trying to do it right already. The sloppy guys aren't going to anything different.

As I said, you can just pay lip service to the red flag rules and you are compliant. A full PCI audit only covers you for that exact moment. Change out a switch or swap a PIN pad and you aren't PCI compliant anymore.

As the below anon says - fix the system with public key encryption. Don't make up rules that sound good, but accomplish nothing.

Re:Much Ado About Nothing

So you want to put out of business the local grocery store I go to that lets me get food now and pay for it when I get paid.

I'm fine with them keeping my information on index cards. If you're not, you shouldn't force them out of business, just don't shop there.

Probably useless...

[UncleTogie]

I've got my doubts about what this will accomplish.

As a point-of-sale vendor, we ran across this recently. Some bozo was slinging stolen cards at some of our clients, and we TRIED to report it. No calls back, no interest from the local PD, the FBI, the FTC, or even the Secret Service. It just wasn't big enough to make their radar and assign manpower to it.... even after 2 grand in fake charges.

I'd like to see them do more when people with all the evidence they would want call them, rather than implement a new program that will drain even more manpower from enforcement.

Re:Probably useless...

[jonwil]

If I was to walk into a bank and rob it and walk out with $600, it would be headline news with a big police man-hunt and I would go to pound me in the ass prison for a long time

But if I was to hack into the computers at the same bank and steal $600,000, it would likely be hushed up by the bank with the only indication that it happened being a "misc expenses" line item in the next annual report or so. And no-one would bother spending any resources trying to catch me.

Re:Probably useless...

[witherstaff]

And if you stole 13 trillion dollars we'd just call you a banker.

Considering that even one

[Jane+Q.+Public]

serious case of identity theft could cost a single one of their "customers" more than $10,000 I think it is reasonable to expect them to do it.

Article is not entirely correct

I work for a financial institution who is regulated by the FRB and OFIS. We were requried to have a Red Flag program in place by Nov 2008 and we were examined at the beginning of 2009. Red Flags was part of that examination. The delay of implementation is not across the board.

To be honest though, all financial institutions do have policies and procedures in place for every potential red flag. "Red Flags" is nothing more than yet another Risk Assessment where all of those programs are brought together under one umbrella.

Unintended effect on any lender

[itilguy]

The Red Flag rule had the effect of requiring any company that provided product or services before payment was billed, had to comply with non-trivial requirements for protection, detection and reporting. If the lawn mowing service billed you, they had to meet Red Flag rules.

Re:Unintended effect on any lender

I agree that it is ridiculous both in its breadth of definition of Creditor and in many other ways. However it merely requires that a policy be adopted, not that it be more than trivial. It will be up to the courts to determine whether a company has failed to exercise adequate due diligence in its policy or has addressed things in too trivial a f

None of these tools is free software, so...

Why would one use these applications instead of say Tor?

WHO complained?

[rpresser]

Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft prevention programs.

I hate it when enforcement dates start complaining on their own.

I hate it almost as much as when participles start dangling right in the middle of sentences, in full view of children.

Red Flags Rule: It is time to do the right thing.

[DerekBeckwith]

I highly recommend this blog post by Steven Bearak of Identity Force calling for businesses to comply with the Red Flags Rule and to protect people from identity theft and data breaches (http://www.idtheftdailynews.com)

Red Flags Rule: It is time to do the right thing.

On April 30, less than a day before the Federal Trade Commission (FTC) was to begin enforcing the Red Flags Rules, the agency extended the deadline for compliance for the second time, until August 1. The 11th hour reprieve by the FTC reflects the fact that far too many organizations have either failed in their efforts to develop identity theft prevention programs, or simply ignored the governmentâ(TM)s mandate to do so.

The Red Flags Rule requires financial institutions and creditors to develop and implement programs to identify, detect, and respond to indications of identity theft. The rules apply to a wide set of businesses including retailers, hospitals, colleges, universities, and utilities.

Unfortunately, businesses have not stepped up to protect their customers, members or patients. Two weeks ago Identity Force released a report that warned of non-compliance in the hospital industry. The report, available at www.identityforce.com/redflagsrulesreport.pdf, revealed that over 80 percent of hospitals were not yet in compliance.

Identity theft and data breaches should be taken much more seriously by businesses and by the government. Data breaches are increasing exponentially, organized cybercrime networks are attacking computer systems daily, and every year millions of Americans become victims of identity theft. What more will it take before organizations do the right thing?

Forty-four states now have identity theft laws on the books, and the FTC eventually will enforce Red Flag Rules. However, regardless of the letter of the law, identity theft and data breaches are clearly inevitable in todayâ(TM)s society. Complying with new laws and regulations and protecting the public is not an option; it is a necessity for organizations that want to survive in our new economy. Businesses must take action or face significant financial risk and reputation damage.

Some organizations may feel that complying with the new rules and combating identity theft and data breaches is a complex and burdensome task. In reality it is not. Turn-key identity protection, compliance and data breach solutions are available for businesses that will immediately bring an organization in line with all state and federal laws. These solutions will also drive down risk, and have the potential to save businesses millions of dollars.

Executives and managers should not hem, haw, stall or delay any longer. When asked if they are prepared to do the right thing regarding identity theft protection, their answers should be one word â" âoeYes.â

Steven Bearak is the CEO of Identity Force. For more information, visit www.identityforce.com/ProtectBusiness.php.