Slashdot Mirror
FTC Backs Off Red Flag Rules Again
coondoggie writes to tell us that the Federal Trade Commission has yet again backed off of the new Red Flag Rule designed to protect consumer information. Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft-prevention programs. "The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said."
I've got my doubts about what this will accomplish.
As a point-of-sale vendor, we ran across this recently. Some bozo was slinging stolen cards at some of our clients, and we TRIED to report it. No calls back, no interest from the local PD, the FBI, the FTC, or even the Secret Service. It just wasn't big enough to make their radar and assign manpower to it.... even after 2 grand in fake charges.
I'd like to see them do more when people with all the evidence they would want call them, rather than implement a new program that will drain even more manpower from enforcement.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
Do you have any figures on how many IDs are stolen from hospital databases?
Let's complete the math here, since you started the problem but never finished it.
IF the average hospital's info insecurity (ha) policy results in an average of 2 stolen identities per year, then it would be worth $10k to protect the data assuming damages of $5k/lost ID. Worthwhile from a societal standpoint, anyway, in terms of absolute costs.
Now let's look at some other factors... that $10,000 needs to be paid for. Let's say the average hospital handles 10k patients per year, just to make the math easy. That's $1 per visit to pay for the coverage. How about adding a $1 "information security fee" to every hospital bill? Or should this be paid by the insurance companies, in which case we can add another $1 to the cost for collection and administration expenses on that $1.
At any rate, before you can even BEGIN to make a societal cost benefit analysis of implementing this, you've got to figure out how much the current hospital systems cost us in terms of escaped IDs.
Sure, $10k doesn't seem like much out of a hospital budget... but then add $10k for this compliance issue, $10k for this other one, and pretty soon you're talking about the need to cut staff in order to pay to meet regulatory requirements. This is how institutional budgets get out of hand... one "small" line item at a time.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I agree, there's additional cost to be considered... but I had included the parenthetical about net societal costs for that reason.
The total cost of identity theft is equal to the sum of compliance costs plus the sum of costs from identity theft occurrences. Determining the net cost/benefit of a mandatory compliance regulation is tough, because it's hard to quantify how much compliance reduces risk.
It's possible that the $10,000 a hospital would spend on this would have no preventative effect, in which case they shouldn't spend the money. It's possible there's a 1:1 return on money invested in compliance, or greater. Without knowing the relationship between compliance spending and reduction of risk, we've no way of figuring out whether it's worthwhile.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)
When was the last time you were in the hospital or had to deal with one? Hospitals are DESIGNED to rob people blind. My wife had a 2 day stay and she brought her own meds. the Hospital tried to charge us for them because the nurse gave them to her. It was only an extra $190.00 per day charge. Oh they charged us $80.00 for that paper gown as well that she wore. as well as aniother $60.00 for the cleaning crew to come in and mop her floor. Then they walked out leaving dirty footprints all over it.
I am certian that If I complainedt othem about taking it up the arse, they would add a line item charge for lube
Do not look at laser with remaining good eye.
That's exactly why I hate this whole idea of a user pays society.
There are some things that are needed to be part of the government system... health, education, and welfare.
Example, here in Australia, we have free(ish) health. On Good Friday I awoke with intense abdominal pains so I went to hospital. Sure, I spent about 1.5-2hrs waiting to be seen, but once I was seen I had a bed, a doctor and a nurse. I was doped up on morphine, had a saline drip to got to watch TV while they did my blood & urine tests. All up I was in the bed for about 6hrs.
All this cost me a grand total of: $0
If you want to store customer financial data then you need to not only protect it, but be able to verify that you are protecting it. Hence the rules.
"The rules" do jack shit. You want to "verify" that I'm protecting a credit card number? Give me a fucking public key so I can encrypt it so that anyone stealing it from my site can't use it elsewhere and neither can any internal rogues.
Bonus points if I include my own merchant account number so that the encrypted version can't be submitted by another merchant account.
Triple word score if I get to add the amount I'm charging in there, so that I can run monthly subscription charges without anyone claiming I can go in and charge whatever I feel like and then run for the hills.
Frankly, I'd rather not touch the stuff, but the credit card processors have the world by the balls and they've got no interest in fixing anything as long as they can force the merchants to swallow the losses.