Identity thieves get reprive as FTC backs off Red Flags rules again

red flags
While the Federal Trade Commission does a lot of posturing about how it help consumers protect their valuable personal information, through laws and education,  the agency has for the second time in less than a year delayed enforcement of its key identity theft rules until August.

The reasons for the delays are an old tune by now; banks and financial institutions can't get ready for the program which was originally set to go into effect Nov. 1, 2008. Other groups such as hospitals and physicians offices have complained about the Red Flag requirements saying they will cost too much to implement.  A survey done by the MedPage today of 100 hospitals found that they would have to spend over $10,000 to comply with the Red Flag Rule.

"Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further," FTC Chairman Jon Leibowitz said in a statement.

The FTC stated that it would delay enforcement of the new "Red Flags Rule" until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today's announcement does not affect other federal agencies' enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight, the agency stated.

The Red Flag program is one of the major ways the government plans to fight the growing identity theft blight.  Banks and other financial institutions typically account for about half of the identity theft complaints filed with the FTC and a recent survey showed Bank of America, JP Morgan, Capital One and Citibank topping the FTC list.

That's one of the reasons why under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.

The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.

The final rules require financial  and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said.

The FTC stated that some industries and entities within the agency's jurisdiction were uncertain about their coverage under the Red Flags Rule. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule's requirements too late to be able to come into compliance by November 1, 2008. The Commission's delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule, the FTC said.  

The FTC delay follows a scathing report by  the Government Accountability Office this week that took issue with which Social Security Numbers and other personal identification is available in public records across the country. Among other things the study noted that  85% of large counties and 41% of small counties in the US make records that may contain SSNs generally available in bulk or online.  On top of that, many record keepers do not or cannot restrict the types of entities that can obtain public records and may not know how records are being used. Finish that observation off with the notion that some businesses are sending records with SSNs offshore, primarily to India and the Philippines, even though not much is known about how such data are protected overseas.

The FTC in February released the list of top consumer fraud complaints for 2007 and showed that for the seventh year in a row, identity theft is the number one problem and it is showing no signs of letting up. Of 813,899 total complaints received in 2007, 258,427, or 32%, were related to identity theft. Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.   

Layer 8 in a box

Check out these other hot stories:

NASA's electronic nose can sniff out cancer, space stench

What kind of data center can you build with $500 million?

Colossal spy airships with 15-story radars get $400M reality check

eBay, Xerox fraudster welcomed to federal prison

Giant, 1 million MPH space tornadoes drive northern lights  

Weather forecasts threatened by satellite network costs, delays

FTC targets mobile text messaging, security concerns

School IT director charged with stealing, selling computers

Blown away? Prototype camera, chips survive explosions

Can telepresence save the universe?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT