Companies To Be Liable For Deals With Online Criminals 171
Dionysius, God of Wine and Leaf, sends us to DarkReading for a backgrounder on new rules from the FTC, taking effect in November, that will require any business that handles private consumer data to check its customers and suppliers against databases of known online criminals. Companies that fail to do so may be liable for large fines or jail time. In practice, most companies will contract with specialist services to perform these checks. Yet another list you don't want to get on. "The [FTC's] Red Flag program... requires enterprises to check their customers and suppliers against databases of known online criminals — much like what OFAC [the Treasury Department's Office of Foreign Asset Control] does with terrorists — and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction."
Hm.. (Score:3, Interesting)
Changing Idenity (Score:2, Interesting)
Aaaaaannnnnd, changing identity is easy. It's nothing to create a corporate entity - and that's a real one. Fake ones? Ha! So, while they're checking their all seeing database of criminals, the crooks are changing their identity.
It's even done by legal, although unethical, businesses. Get too many complaints to the Better Business Bureau just change your business' name.
Re:Is rootkit Sony on the list? (Score:3, Interesting)
Re:Red Flag? (Score:3, Interesting)
Not paying enough attention, I missed this link [ftc.gov] from TFA. This notice is all about identity theft, while the summary indicates that companies will be required to check customer lists against known criminals.
If someone steals my identity and uses it to buy something, it will be my name in the customer database, not the criminal's. How would checking the customer list help? As far as I know, I'm not a known criminal or terrorist.
Although, I guess I would (incorrectly) end up on the list after a hypothetical incident.
Re:Onerous Burden on Businesses? (Score:4, Interesting)
Plus, this thing kinda reminds me of the Payment card industry standard which, among other things, requires business that accept credit and bank cards to adhear to a strict policy of security when dealing with these cards. Every year, even on the smallest level, companies should be filling out a "self test" which requires you answer questions about your card security. Among the questions is a whole bunch of requirements you'd expect of a data center but not, say, a restaurant. Glass walls, biometric access, camera systems, etc. Fines start at $100,000 and you risk losing your ability to take credit cards. The published standard is here. [pcisecuritystandards.org]
I'm sure that 99% of small businesses that accept Visa/MC/AMEX etc have *no idea* about this standard and even if they did, they have no resources to adhear to it. That's why this "Red Flag" deal reminds me of it.
Comment removed (Score:3, Interesting)
At last, a list I want to be on (Score:4, Interesting)
We're developing our program now (Score:3, Interesting)
eBay screwed! (Score:3, Interesting)