Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Government Privacy The Almighty Buck United States

Companies To Be Liable For Deals With Online Criminals 171

Posted by kdawson from the sees-you-when-you're-sleeping dept.
Dionysius, God of Wine and Leaf, sends us to DarkReading for a backgrounder on new rules from the FTC, taking effect in November, that will require any business that handles private consumer data to check its customers and suppliers against databases of known online criminals. Companies that fail to do so may be liable for large fines or jail time. In practice, most companies will contract with specialist services to perform these checks. Yet another list you don't want to get on. "The [FTC's] Red Flag program... requires enterprises to check their customers and suppliers against databases of known online criminals — much like what OFAC [the Treasury Department's Office of Foreign Asset Control] does with terrorists — and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction."
This discussion has been archived. No new comments can be posted.

Companies To Be Liable For Deals With Online Criminals More

Companies To Be Liable For Deals With Online Criminals

Comments Filter:

  • Re:Onerous Burden on Businesses? (Score:1, Informative)

    by Anonymous Coward on Friday April 25, 2008 @09:58AM (#23197200)
    They aren't being asked to do the job of law enforcement. They are being asked to check already existing databases, which are available on a per transaction basis for what is supposedly a fairly small fee. It's no different than running a credit check on a potential customer or a background check on an prospective employee.

    Running a business entails costs, and this is one of them. I see nothing wrong with this regulation.

  • EU Export (Score:4, Informative)

    by Tiberius_Fel ( 770739 ) <fel@emp[ ]reborn.net ['ire' in gap]> on Friday April 25, 2008 @10:02AM (#23197254)
    To my knowledge, European Union regulations already require you to check the people to whom you are shipping goods, to see if they are on a list of known terrorists and their associates.

  • Re:Who does this apply to? (Score:3, Informative)

    by iamdrscience ( 541136 ) on Friday April 25, 2008 @10:49AM (#23197758) Homepage
    You're exactly right. This article is obviously little more than a regurgitated press release for MicroBilt. The reality is that this law is intended for big companies and companies doing big money deals and they're the only ones that are going to have to worry about it. Microbilt is just trying to get some more customers by making it sound like a broader law than it is and given that it's been written up as an article and been posted to Slashdot, I'd say they've done a pretty good job.

  • Re:I'm doing business with Mastercard (Score:3, Informative)

    by bcwright ( 871193 ) on Friday April 25, 2008 @10:58AM (#23197878)
    I think if you read the actual proposed regulation that's published at http://www.ftc.gov/ [ftc.gov] you'll see that that's exactly what happens. This regulation does not appear to apply to businesses who merely accept credit cards, but rather to those who issue credit cards or other forms of credit.

  • Scope isn't as broad as it looks (Score:3, Informative)

    by 44BSD ( 701309 ) on Friday April 25, 2008 @11:15AM (#23198080)
    From the federal register item linked to in TFA:

    The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft
    to do these things. If you sell something to someone for cash, you are not a creditor. If you were a financial institution, and thus covered by GLBA, you'd know it already. Unless you extend credit, you're not a creditor. Not much to see here, and the fact that this article had its origin in somebody selling a service to help you comply with this may be meaningful.

  • Re:Onerous Burden on Businesses? (Score:2, Informative)

    by Anonymous Coward on Friday April 25, 2008 @11:23AM (#23198210)
    The thing is, such "bad guy" databases, if maintained in realtime and accessed online can be monitored for access by the database maintainer (let's call them TLA).

    That transaction log itself contains great data mining material for TLA:

    This is simplified, but imagine the query sent to TLA by PoopyCorp was "SELECT * FROM BAD_GUYS WHERE NAME='Joe Bloggs'". Now, TLA knows that Joe Bloggs does business with PoopyCorp - possibly very valuable information if Joe Bloggs is a politician and PoopyCorp manufactures sex toys, or hell, if Joe Bloggs is a startup company founder and PoopyCorp supplies loans (uhoh, looks like BloggsCo is in financial difficulties, they're looking for a loan).

    If the query was checking *any* more involved stuff, it could be an even more catastrophic leak of information to TLA.

    If PoopyCorp instead just got a copy of the whole database from TLA each time (i.e. "SELECT * FROM BAD GUYS"), and does the checking to see if Joe Bloggs is in that without involving TLA further, great, no information leak to TLA - except then PoopyCorp knows everyone on the list, an information leak in the other direction.

    In short, the idea of mandating this sort of check is deeply evil, though optional checking is less problematic (Joe Bloggs can take his business elsewhere if PoopyCorp *wants* to check with TLA to protect its interests).

Slashdot Top Deals

All the simple programs have been written.

Close