FTC Delays Identity Theft Rule Yet Again

← Back to Stories (view on slashdot.org)

FTC Delays Identity Theft Rule Yet Again

Posted by kdawson on Tuesday June 1, 2010 @07:04AM from the don't-get-phished dept.

coondoggie sends news that the FTC, at the request of several members of Congress, has delayed enforcement of anti-ID-theft rules — for the fourth time since the original implementation date, November 2008. "The [Red Flags] rule requires financial institutions and other creditors to develop and carry out identity-theft prevention programs. ... The problem with the rule revolves around which entities must comply and develop identity-theft prevention programs. ... 'It's the act of delaying payment for services that can sweep in entities you wouldn't normally think of as creditors,' Kuehn said. Already, the American Bar Association, the American Medical Association, and the American Institute of Certified Public Accountants have sued, saying that the Red Flags Rule shouldn't apply to their members."

44 comments

Min score:

Reason:

Sort:

ok... by butterflysrage · 2010-06-01 07:07 · Score: 2, Insightful

why not? do they not have important data that could be used in an identity theft?

--
the preceding post was not spell checked... suck it.
1. Re:ok... by Anonymous Coward · 2010-06-01 07:19 · Score: 0
  
  why not? do they not have important data that could be used in an identity theft?
  Call the FTC out on their decision, ask them which congressmen urged the delay, and perhaps we can find out:
  a. Who (if anyone) is on the take
  b. Why (if any reason) are they on the take
2. Re:ok... by Qzukk · 2010-06-01 07:33 · Score: 4, Informative
  
  do they not have important data that could be used in an identity theft?
  The "Red Flags Rule" isn't about stealing data, it's about requiring people to watch for signs that stolen data is being used (hence "Red Flags"). Things like fake IDs, addresses that don't match your records or are not valid, or a SSN that isn't in the date range for the person's DOB.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
3. Re:ok... by oldspewey · 2010-06-01 07:45 · Score: 5, Interesting
  
  And at the end of the day, it's all about what costs more/less money where these financial institutions are concerned. If new "red flag" procedures and checks for ID theft cost a bank $25 million per year, and their actuaries tell them they only suffer $10 million per year in ID-theft-related losses, then it's not in their interests to put those "red flag" measures in place.
  The human cost to their customers (lost time, mental anguish, etc.) of an incident carries absolutely no weight in their thinking. It's all about the bottom line.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
4. Re:ok... by Anonymous Coward · 2010-06-01 08:25 · Score: 0
  
  None of those three organizations are financial institutions, so I don't understand what you think this represents. Not all financial institutions have the attitude that you are talking about, credit unions typically don't think that way because they are concerned about their member-owners welfare, banks on the other had have to answer to their stockholders.
5. Re:ok... by OldHawk777 · 2010-06-01 08:44 · Score: 4, Interesting
  
  I agree, but I don't trust politicians to get it done right.
  Credit (Equifax...) rating companies, credit card companies, Bank/Loan Sharks... are the one that validate false/stolen IDs. I have always thought the should be the first sued by ID theft victims.
  
  --
  Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
6. Re:ok... by VernorVinge · 2010-06-01 18:08 · Score: 1
  
  I agree. This is no doubt a move by the banking industry who would have to expel millions of illegal immigrants who are using stolen or false identities to set up their accounts. I know- because I was a victim of Bankof America and still have in my possession a debit card with the illegal's picture and my name on it.
  
  --
  Stay skeptical, my friends.
AMA objections. by TheMeuge · 2010-06-01 07:18 · Score: 5, Informative

The reason for the objection by the AMA is that this rule would designate doctors as creditors, by virtue of them billing for their services. This would require a torrent of new paperwork to be handled by the doctors' offices. Ultimately, the time and staff cost of compliance would be extremely high, while there aren't likely to be any benefits in terms of reduction of personal data theft from medical practices, since HIPAA regulations are already very strict regarding personal information.
Since many hospitals and practices already operate on rather thin margins (3% is considered excellent for a hospital), the last thing medical institutions need is more staff to handle paperwork. They already outnumber doctors...
1. Re:AMA objections. by Ken+D · 2010-06-01 07:36 · Score: 4, Insightful
  
  If you read the article, it claims that the issue is the Red Flags rule, which is aimed at preventing *misuse* of identification information while accessing services rather than theft of identification from their systems.
  This definitely should apply to the medical industry. Or have you not yet heard of people not only getting billed for medical procedures that they have not had, but simultaneously having their medical history corrupted and having their insurance history mangled as well. http://en.wikipedia.org/wiki/Identity_theft#Medical_identity_theft
2. Re:AMA objections. by Monkeedude1212 · 2010-06-01 07:41 · Score: 1
  
  Consider it a make work project?
3. Re:AMA objections. by Sandbags · 2010-06-01 08:03 · Score: 2, Insightful
  
  Huh? the red flag rules are almost all covered already by HIPAA and Sox. There's immense overlap between them, red flag just applies to a lot more than medical and legal records... Doctors already are required to obey these rules, and most small doctors, due to the cost, already use intermediary companies to handle billing and colelction eliminating them from direct responsibility (and the creditor lablel).
  
  --
  There is no contest in life for which the unprepared have the advantage.
4. Re:AMA objections. by Anonymous Coward · 2010-06-01 16:52 · Score: 0
  
  Hospitals and practices on thin margins.......mind you, that "thin margin of 3%" is able to pay for a vacation in freaking (name vacation spot that costs more than most people ever GROSS in a month) for the doctor ( unless he/ she is fresh out of med school, yes, I agree, med students/ interns DO have a bit of TEMPORARY hassle). Sorry, but I think that since these folks are already bankrupting entire GENERATIONS to deign to treat illness, and oh by the way, MAYBE save a life or two along the way, then it really isn't too much to ask these folks to at least go to the extra trouble to make damn certain that the people whose lives they are about to irrevocably change for the duration are at the very least the RIGHT damn people to get the freaking bill.
  I have NO sympathy for those schmucks at the AMA......absofreakinglutely NONE.
5. Re:AMA objections. by Dragoness+Eclectic · 2010-06-02 04:31 · Score: 1
  
  most small doctors, due to the cost, already use intermediary companies to handle billing and colelction eliminating them from direct responsibility
  You know what that also does? The small intermediary company doesn't give a crap if the doctor's customers get pissed off by mismanaged billing and insurance paperwork handling; they just insist on the money being paid. The doctor's office, since it isn't directly responsible, blows off your insurance issues with "the billing company handles that". This can really screw you if, say, the insurance company isn't paying up on the excuse that the doctor didn't send them some obscure paperwork on request--it's not in the insurance company's interest to push the issue, because then they'd have to pay out money, the billing company doesn't give a crap, because the doctor is their customer, not you, and the doctor's office doesn't handle billing or insurance paperwork, so they don't have a clue what's going on.
  I had a 2-3 year fight with my (former) doctor's billing office and my (former) health insurance company over such a snafu. Made me hate going to the doctor for any reason whatsoever, because it would start up the fight with the insurance company all over again. Got so I wouldn't go to the doctor for anything short of an emergency--no routine check-ups, no innoculations, no visits for colds, flu, sinus infections that hadn't progressed to the "clutching my head and screaming in pain" stage, no checks on my blood pressure, no nothing, just because of the massive stress-inducing hassle.
  My insurance problems miracuously cleared up when I was switched (old doctor closed his practice after Katrina) to a doctor whose office did their own billing and thus gave a crap about clearing the payment issue up.
  
  --
  ---dragoness
6. Re:AMA objections. by Sandbags · 2010-06-02 06:00 · Score: 1
  
  You know not of what you speak.
  Red flag rules as well as HIPAA and PCI regulations do leave the doctor responsible for accurate billing practices, the intermediary is only a billing agent that handles transactions. Pissed off customers ARE likely to leave a doctor with an ineffective billing agent. Insurance issues are still handled first party by the doctor, not through the intermediary (the bill can only be sent to a customer after the HIPAA statement is generated and returned to the doctor clarifying coverage. In the end, you have rights, and guaranteed protections, and improper billing practices come with STIFF penalties for both the billing agency, the doctor, and the insurance company.
  Now a "collections" agency is a different matter altogether...
  I've also been in a 2.5 year fight over a bill for child birth with the insurance company. The doctor's bills are in order, as is the intermediary's bills to me, the only issue is the INSURANCE company not doing the math right, claiming things common to child birth are not covered, miscalculating my out-of-pocket maximum, and more. This has NOTHING to do with the doctor's correct belief that the insurance company paid X, I thus owe Y.
  
  --
  There is no contest in life for which the unprepared have the advantage.
Re:e-diplomas-r-us by ColdWetDog · 2010-06-01 07:23 · Score: 1

Congrats: Third post and you're completely orthogonal to the FA. Maybe less time in 'happyplace' and more time in 'reading'.

--
Faster! Faster! Faster would be better!
FDIC is looking by Pagey123 · 2010-06-01 07:33 · Score: 2, Interesting

I know in our last safety and soundness exam the FDIC looked over our Red Flags program. I'm not saying that is where they spent the majority of their time by any means, though. Right now all the banks are getting hammered on asset quality. The regulatory bodies have written so many MOUs they're having a hard time keeping up.
Re:e-diplomas-r-us by Anonymous Coward · 2010-06-01 07:34 · Score: 0

I can't believe this has been modded up. The Rule has nothing to do with anyone's credentials. It was designed to require banks and businesses extending consumer credit to take steps to avoid identity theft, but was drafted so poorly that practically every business in the United States is subject to it and its onerous requirements.
Of course, reading any of the plentiful information on the Red Flags Rule, or even the linked article would take time.
Much easier to just mod up any moron who makes an anti-business comment on /.
Re:e-diplomas-r-us by Attila+Dimedici · 2010-06-01 07:36 · Score: 1

I'm sorry, I do not believe that happy place's comment is even close enough to the topic in the article to be orthogonal to it. I guess you could take that view since doctors and lawyers are mentioned in both the article and happy place's comment. I believe that is the only thing those two have in common.

--
The truth is that all men having power ought to be mistrusted. James Madison
Re:e-diplomas-r-us by Anonymous Coward · 2010-06-01 07:40 · Score: 0

take steps to avoid identity theft
The point of Red Flags is that the theft has already happened and now some Mexican is in your office wanting a credit line and showing you some white scandinavian drivers license and claiming that he's really Mia Bjarnor. What do you do? WHAT DO YOU DO??!? Oh wait, you have a policy for exactly this thing!
Theft Rule Delayed: +1, Extra Jalapeno Elevated by Anonymous Coward · 2010-06-01 07:49 · Score: 0

BECAUSE:
Association members ARE identity thieves.
Thanks for the update.
Yours In St. Petersburg,
K. Trout, C.E.O.
Bad idea in the first place by russotto · 2010-06-01 07:49 · Score: 1

A set of rules that are so onerous that the lawyers and accountants are running scared of the paperwork probably is a bad idea all around, not just as applied to certain people and companies.
(note to idiots who have never seen a regulation they don't like: I am not saying that preventing identity theft is a bad idea. I'm saying this particular way of doing so is probably a bad idea)
1. Re:Bad idea in the first place by cvd6262 · 2010-06-01 08:15 · Score: 4, Interesting
  
  Especially when there are already laws against the behavior in question and these laws already put the onus on the companies. (This isn't original to me, but I'm too lazy to look up the original reference.)
  It works like this: If Person A pretends to be me and gets something without paying for it, that's fraud, not "ID theft." But with fraud, I'm not the victim, whoever accepted the fraudulent credentials is.
  Over the last 15 years we've seen a new crime called, "ID theft" wherein the victim is no longer the entity with the power to impede the crime, the victim is a third party. That way credit-granting agencies can ignore the warning signs, and then bill the wrong person for the transaction.
  If we stopped talking about "ID theft" and just went back to fraud, the companies would already have the motivation to tighten their ID checks.
  
  --
  
  I'd rather have someone respond than be modded up.
2. Re:Bad idea in the first place by Anonymous Coward · 2010-06-01 08:46 · Score: 0
  
  A set of rules that are so onerous that the lawyers and accountants are running scared of the paperwork probably is a bad idea all around, not just as applied to certain people and companies.
  Not really... lawyers and accountants (and doctors) are protected monopoly professions, so they set their prices as high as they can... meaning that they have already set them to the maximum that the market will bare. Any new regulations will increase their costs, and since they are already charging the highest possible prices, they will not be able to pass that cost on to consumers, so they will have to pay for it out of their profits. That's why they are running scared. It all has to do with price elasticity.
3. Re:Bad idea in the first place by russotto · 2010-06-01 09:29 · Score: 2, Insightful
  
  As I understand it, the difference between classic fraud and ID theft is whether or not new credit is established. And the problem isn't so much the money, but the destruction of reputation. Someone steals my credit card number, I just cancel it and don't pay the fraudulent charges. Someone obtains and uses enough information to apply for new credit in my name, I still don't have to pay the bills, but credit reporting agencies list me as a deadbeat; I can challenge the information but the criminals can just keep doing it; I can do little to stop it that doesn't hurt me as well.
4. Re:Bad idea in the first place by Anonymous Coward · 2010-06-01 09:44 · Score: 0
  
  lawyers and accountants (and doctors) are protected monopoly professions
  Do you have any idea what a monopoly is? That's an idiotic comment if I've ever seen one. The legal industry is extremely competitive.
5. Re:Bad idea in the first place by Anonymous Coward · 2010-06-01 16:03 · Score: 0
  
  "credit reporting agencies list me as a deadbeat;"
  This should be treated no differently than libel.
6. Re:Bad idea in the first place by lgw · 2010-06-01 17:27 · Score: 1
  
  "credit reporting agencies list me as a deadbeat;"
  This should be treated no differently than libel.
  Knowingly making a false report to a credit reporting agency is an actual crime, so it's treated worse than libel. I'm not sure how in the wrong the credit reporting agencies are during the process, however. If someone is impersonating me, then it's correct that merchant's shouldn't trust anyone with my ID until the whole thing is cleared up.
  Where the credit reporting agencies fall down, however, is in cleaning up after the fact. Since you and I are not their customers, they lack motivation to do so. It's not immediately clear how to have a simpler system that doesn't allow actual deadbeats to claim identity theft and thereby invalidate the whole system, but I'm sure there's a solution somewhere.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Just Make it Their Problem by Anonymous Coward · 2010-06-01 07:50 · Score: 1, Insightful

Just make it the banks' problem. If someone opens a credit card in my name and charges a bunch of things to it, just let the bank deal with it. It's not my fault they gave a credit card to a fraud. If I tell them it wasn't me, they should have to eat the loss themselves. Then they'll make sure that anyone they give credit to is the real deal.
1. Re:Just Make it Their Problem by anegg · 2010-06-01 08:06 · Score: 2, Informative
  
  BINGO! Just Make It Their Problem! I like the sound of it. Nice and simple. It is exactly what should happen. If a bank extends credit to someone claiming to be me, then bills me for it, it should be the bank's problem to PROVE it was me, not mine to prove it wasn't. There should also be a penalty for those people who falsely claim it wasn't them when it was. I suspect the whole "stolen identity" thing will largely die off when the banks have to eat the results of their bad decisions. There will probably also be an impact on the availability of credit, but I'm not convinced that will be a bad thing.
2. Re:Just Make it Their Problem by lgw · 2010-06-01 17:31 · Score: 1
  
  Just keep in mind that doing this will require the bank to have an extensive set of your personal information, so that they can validate your claim. And when that database is stolen, and someone correctly answers all their questions, then you'll be stuck with the bill, sinc obviously you conspired in the whole thing!
  Sort of like chip-and-PIN: a "security" feature that was no more secure, but lost the right to dispute charges based on identity, since if the user of the card knew your PIN you must have told them - no other possible explanation, says the bank.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Re:e-diplomas-r-us by Kilrah_il · 2010-06-01 07:54 · Score: 1

The point of Red Flags is that the theft has already happened and now some Mexican is in your office wanting a credit line and showing you some white scandinavian drivers license and claiming that he's really Mia Bjarnor. What do you do? WHAT DO YOU DO??!?

What do I do? I ask him: "You do not look like Mia Bjarnor, are you sure this is your real name?".
If answer="Yes" then GiveCredit() else CallCops();
Easy!

--
Whenever in an argument, remember this.
Wrong approach by Locke2005 · 2010-06-01 07:58 · Score: 1

Don't bother trying to force companies to prevent it... just make the company that leaked the data responsible for all losses as the result of identity theft, and then leave them up to their own devices to find a way to prevent it.

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
1. Re:Wrong approach by Anonymous Coward · 2010-06-01 08:23 · Score: 0
  
  Unfortunately, most of those ways will not be technical -- they'll be political.
  There's also the question of which company is responsible when one company stores data sets it shouldn't, passes them off to another company in an improperly encrypted way, and then a peering company handles that data and loses some context bits that indicate it is restricted data, resulting in a fourth company publishing the data. Who's at fault? They all are. Who's to blame? If you say the last guy in the chain who actually leaked the data, then it provides almost no incentive for anyone to do anything other than business as usual -- except maybe to add markup to customers to cover damages from incidents such as this.
Businesses Like Identity Theft by geophizz · 2010-06-01 08:27 · Score: 1

Identity theft is good for the bottom line, that's why. You can sell lots of things to an Identity thief, plus it's recession proof! If you're Best Buy (or some other vendor), you get to sell more stuff. By the next month, you've already posted the profit so then you can hang the loss on the credit card company, who then gets a bailout from the government. It's a perfect scam, all the way around!
1. Re:Businesses Like Identity Theft by Anonymous Coward · 2010-06-01 08:53 · Score: 1, Informative
  
  It is good for the credit card's bottom line, but not the merchants.
  When the customer complains the credit card takes the funds back from the merchant and charges them a charge back fee on top of losing the merchandise. Ultimately the customer walks away, the credit card makes a fee, and the merchant is left holding the bag.
if the doctor can file a bad credit report on you by Anonymous Coward · 2010-06-01 09:06 · Score: 0

then they are a "creditor".
When doctors and hospitals agree to give up the right to file reports about you to the Credit Reporting Agencies (i.e. give up the benefit of being treated as a creditor) is they day they can stop being required to comply with the painful parts of being treated as a creditor.
The two items are a lot more related than might appear on first glance -- the only reason a doctor/hospital has for *requiring* your SSN/TIN is in case they need to file a bad report about you to the Credit Reporting Agencies and it is exactly that SSN/TIN data collection that is the reason they were being included in this FTC rule. If they stop collecting SSN/TIN (thereby losing the ability to file a negative credit report about you), then we won't need them to behave like responsible creditors.
Stupid and confusing by cdrguru · 2010-06-01 09:43 · Score: 3, Interesting

There are two entirely different things that are both lumped together as "Identity Theft".
The first one is where someone manages to get a bank or loan company to give them credit based on false credentials. You wake up one morning and discover that you owe lots of people you never even heard of, perhaps as much as a year after the loan was given. This is big trouble, because your success depends on convincing the originator of the loan that they made a mistake. It can take years to clean this up and plenty of money. Fortunately, it is extremely rare.
The second sort of "Identity Theft" is where someone "borrows" your credit card number. It is nothing more than credit card fraud and takes about 10 minutes to clear up. It personally happens to me at least once a year. I believe that many businesses end up selling credit card numbers one way or another, usually through employees looking for some extra income. A valid credit card number is worth maybe $2 on the open market, so if you collect of 50 of them you have yourself $100. Plenty of people could use an extra $100 a week.
Credit card fraud is so incredibly common that nearly all large stores have insurance to cover their losses. So they pretty much don't care when it happens - they file for insurance coverage and are reimbursed. The credit card companies do not care at all and pretty much refuse to even attempt to prosecute the people doing it because it looks bad. So the only loser in this is a small business that gets taken on a credit card sale and doesn't have the insurance that bigger stores have.
With a "no prosecution" stand, credit card fraud is about as rampant as it could possibly be. There are no consequences to doing it. If you walk in to a store and try to use a fraudulent credit card it might not validate - around 1960 they called the cops. Today they take the card and suggest you get lost. I suppose if you insisted they call the police they might, but you wouldn't be charged with anything like credit card fraud because nobody cares. Probably end up getting charged with making an ass of yourself in public.
Yes, I have had a physical credit card stolen and reported to the police. I knew who took it and who used it in a store (successfully, I might add), but the police wouldn't do a thing unless the credit card company wanted to press charges. They never do, so they guy got the stuff from the store and got away with it clean.
1. Re:Stupid and confusing by gurps_npc · 2010-06-01 10:39 · Score: 2, Insightful
  
  You left out the THIRD sort of "Identity Theft". Illegal aliens are the largest growing criminals that commit "Identity Theft". They borrow your name/social security number to obtain ID, but do not in any way attempt to steal money from you.
  
  --
  excitingthingstodo.blogspot.com
2. Re:Stupid and confusing by Drgnkght · 2010-06-01 15:02 · Score: 1
  
  but do not in any way attempt to steal money from you.
  Maybe not directly, but someone else using your name and ssn could get real unpleasant. :-/ Someone using my identity for *ANY* reason would get placed at the top of my sh** list. Instantly.
  Monetary costs are only part of the problem. The legal system can have a field day with you too. It's loads of fun getting summoned to court with no idea why. This has happened to me; I did not enjoy the experience. (For what it is worth, the charges were dropped. I had evidence I was elsewhere at the time in question.)
3. Re:Stupid and confusing by gurps_npc · 2010-06-03 06:06 · Score: 1
  
  True, but rather obvious. That is why Idientity Theft is a crime, as opposed to simply chargning people with regular theft.
  
  --
  excitingthingstodo.blogspot.com
Re:e-diplomas-r-us by Drgnkght · 2010-06-01 10:54 · Score: 1

So basically you'd do what the banks are already doing? Which is (essentially) nothing.
Re:Bad Idea...Monopoly defined. by Anonymous Coward · 2010-06-01 17:36 · Score: 0

Okay, I'll bite....what competition does the ABA have, exactly? who else in this country can even practice law without the blessing of the Bar Association? Congress, perhaps, is about the only OTHER entity in the U.S. that can do so, and many of it's members are also members of the Bar Association. So, seriously, WHAT competition?
One need not be the only player to maintain an effective monopoly, by the way.