Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Backs Off Red Flag Rules Again

Posted by ScuttleMonkey on from the deferring-the-cost-to-the-little-guy-for-now dept.

coondoggie writes to tell us that the Federal Trade Commission has yet again backed off of the new Red Flag Rule designed to protect consumer information. Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft-prevention programs. "The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said."

14 of 43 comments (clear)

  1. Costs too much, huh? by SirGarlon · · Score: 5, Insightful

    A survey done by the MedPage today of 100 hospitals found that they would have to spend over $10,000 to comply with the Red Flag Rule.

    In comparison with the operating budget of a typical hospital, I hardly think $10,000 is a major expense. They probably spend more than that waxing the floors every year.

    What's the average cost incurred by a single victim of identity fraud? Last I heard it was over $5k. So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    1. Re:Costs too much, huh? by Red+Flayer · · Score: 2, Interesting

      What's the average cost incurred by a single victim of identity fraud? Last I heard it was over $5k. So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

      Do you have any figures on how many IDs are stolen from hospital databases?

      Let's complete the math here, since you started the problem but never finished it.

      IF the average hospital's info insecurity (ha) policy results in an average of 2 stolen identities per year, then it would be worth $10k to protect the data assuming damages of $5k/lost ID. Worthwhile from a societal standpoint, anyway, in terms of absolute costs.

      Now let's look at some other factors... that $10,000 needs to be paid for. Let's say the average hospital handles 10k patients per year, just to make the math easy. That's $1 per visit to pay for the coverage. How about adding a $1 "information security fee" to every hospital bill? Or should this be paid by the insurance companies, in which case we can add another $1 to the cost for collection and administration expenses on that $1.

      At any rate, before you can even BEGIN to make a societal cost benefit analysis of implementing this, you've got to figure out how much the current hospital systems cost us in terms of escaped IDs.

      Sure, $10k doesn't seem like much out of a hospital budget... but then add $10k for this compliance issue, $10k for this other one, and pretty soon you're talking about the need to cut staff in order to pay to meet regulatory requirements. This is how institutional budgets get out of hand... one "small" line item at a time.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    2. Re:Costs too much, huh? by Gription · · Score: 2

      One of the bad assumptions in this chain of logic is that the poor schmuck who had their identity stolen can get their $5k (or whatever...) in losses back from the hospital.

      A more likely scenario is they either eat the cost or they get a lawyer and spend $$$ to have their lawyer whomped by the hospital's much larger legal department and then end up eating the lawyer fees on top of the initial losses.

    3. Re:Costs too much, huh? by Red+Flayer · · Score: 2, Interesting

      I agree, there's additional cost to be considered... but I had included the parenthetical about net societal costs for that reason.

      The total cost of identity theft is equal to the sum of compliance costs plus the sum of costs from identity theft occurrences. Determining the net cost/benefit of a mandatory compliance regulation is tough, because it's hard to quantify how much compliance reduces risk.

      It's possible that the $10,000 a hospital would spend on this would have no preventative effect, in which case they shouldn't spend the money. It's possible there's a 1:1 return on money invested in compliance, or greater. Without knowing the relationship between compliance spending and reduction of risk, we've no way of figuring out whether it's worthwhile.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    4. Re:Costs too much, huh? by Lumpy · · Score: 3, Interesting

      So for the hospital to save its petty $10k in implementation costs, how many patients are they willing to screw over? (All of 'em, it seems.)

      When was the last time you were in the hospital or had to deal with one? Hospitals are DESIGNED to rob people blind. My wife had a 2 day stay and she brought her own meds. the Hospital tried to charge us for them because the nurse gave them to her. It was only an extra $190.00 per day charge. Oh they charged us $80.00 for that paper gown as well that she wore. as well as aniother $60.00 for the cleaning crew to come in and mop her floor. Then they walked out leaving dirty footprints all over it.
      I am certian that If I complainedt othem about taking it up the arse, they would add a line item charge for lube

      --
      Do not look at laser with remaining good eye.
    5. Re:Costs too much, huh? by sortius_nod · · Score: 3, Interesting

      That's exactly why I hate this whole idea of a user pays society.

      There are some things that are needed to be part of the government system... health, education, and welfare.

      Example, here in Australia, we have free(ish) health. On Good Friday I awoke with intense abdominal pains so I went to hospital. Sure, I spent about 1.5-2hrs waiting to be seen, but once I was seen I had a bed, a doctor and a nurse. I was doped up on morphine, had a saline drip to got to watch TV while they did my blood & urine tests. All up I was in the bed for about 6hrs.

      All this cost me a grand total of: $0

  2. What I really want! by glennpratt · · Score: 4, Insightful

    Free, instant access to any credit bureau.

    It's ridiculous the information they can store about me and then turn around and charge ME to look at it more than once a year. And my credit score, that should be free for me to view as well.

    I've already had two mistakes on my credit and I'm 25 (1 identity theft and 1 Verizon decided I didn't return FiOS equipment - of course I didn't return it, it's still in use!).

    Making this information free and accessible would be a start.

  3. Don't Confuse Banks and Credit Unions by mpapet · · Score: 4, Informative

    They are separate and generally speaking do not follow the same rules.

    For example, Bank of America and Chase would not be required to follow these rules.

    The 'backing off' doesn't surprise me one bit as the NCUA is probably in as much trouble as the FDIC with failed credit unions, and lack of funds to protect depositors.

    http://www.cutimes.com/Pages/News.aspx

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
    1. Re:Don't Confuse Banks and Credit Unions by Anonymous Coward · · Score: 2, Informative

      Actually, they do follow the same rules; FFIEC sets the information security guidelines for both.

      The big difference is how the groups are audited. Banks deal with more (and stricter) regulatory bodies.

      I audit both groups and have found that most have already addressed red flag rules (if they are not already compliant).

      Red Flag rules aren't tough for financial institutions because the rules overlap with previous requirements. It's the other groups that are having trouble.

      The hospitals I audit do not have the culture yet for information security and that starts at the top with the doctors.

  4. Red Flag Rule = Guessing Game by Silentknyght · · Score: 5, Insightful

    Though the article summary touts the Red Flag Rule(s) as something that is designed to protect consumer information, I have serious doubts as to the efficacy of such a system.

    As stated in the article, it's just a system/rule to force banks/creditors/etc. to identify any suspicious activity (i.e. red flags) in their accounts. It doesn't seem to mention anything about any liability or culpability for false positives or worse--completely missing identity theft in action. That said, I still can't believe (provided the inforamtion is true) that companies continue to balk at this. The sums mentioned in the article--$10,000 to comply--are chump change, even if it's a repeated annual expenditure.

  5. Much Ado About Nothing by gcatullus · · Score: 2, Insightful

    The so called red flag rules are an added cost to small businesses and don't really do that much to help prevent identity theft. They apply to anyone who sells a product on any terms other than cash or credit card. This includes your local home heating oil dealer, local appliance store that might offer you a payment plan right down to a bar that lets you keep a tab until pay day.

    You can nominally comply with these rules by downloading a template over the internet and designating a person to "review" red flags. They are overly broad, and treat businesses that keep customer records on index cards in a file cabinet the same as the bank that holds your mortgage.

    These rules are much like PCI compliance. They sound impressive, but mean very little. Heck RBS Worldpay/Lynk is still processing credit cards but they lost their PCI compliance, after suffering a data breach jeopardizing 1.5 million payroll cards and at least 1.1 million Social Security numbers.

    PCI and red flag rules foist the onus of data protection onto small merchants, while the monopolists who benefit from Visa/Mastercard transactions don't have to change anything.

    Visa/Mastercard should be tasked with making the whole system more secure. Forcing the burden of data protection in a broken system onto small merchants is like blaming the depositors in a bank when it gets robbed.

  6. Probably useless... by UncleTogie · · Score: 3, Interesting

    I've got my doubts about what this will accomplish.

    As a point-of-sale vendor, we ran across this recently. Some bozo was slinging stolen cards at some of our clients, and we TRIED to report it. No calls back, no interest from the local PD, the FBI, the FTC, or even the Secret Service. It just wasn't big enough to make their radar and assign manpower to it.... even after 2 grand in fake charges.

    I'd like to see them do more when people with all the evidence they would want call them, rather than implement a new program that will drain even more manpower from enforcement.

    --
    Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
    1. Re:Probably useless... by witherstaff · · Score: 2, Funny

      And if you stole 13 trillion dollars we'd just call you a banker.

  7. Considering that even one by Jane+Q.+Public · · Score: 3, Insightful

    serious case of identity theft could cost a single one of their "customers" more than $10,000 I think it is reasonable to expect them to do it.