Companies To Be Liable For Deals With Online Criminals

Dionysius, God of Wine and Leaf, sends us to DarkReading for a backgrounder on new rules from the FTC, taking effect in November, that will require any business that handles private consumer data to check its customers and suppliers against databases of known online criminals. Companies that fail to do so may be liable for large fines or jail time. In practice, most companies will contract with specialist services to perform these checks. Yet another list you don't want to get on. "The [FTC's] Red Flag program... requires enterprises to check their customers and suppliers against databases of known online criminals — much like what OFAC [the Treasury Department's Office of Foreign Asset Control] does with terrorists — and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction."

Hm..

[kvezach]

Does the crime of Slashdot first-posting get you on that list?

Changing Idenity

[iamsamed]

.. but what happens if I Jason Smith am not a criminal and there happens to be a Jason Smith criminal out there that isn't me. Also who in their right mind uses their real name on the internet?

Aaaaaannnnnd, changing identity is easy. It's nothing to create a corporate entity - and that's a real one. Fake ones? Ha! So, while they're checking their all seeing database of criminals, the crooks are changing their identity.

It's even done by legal, although unethical, businesses. Get too many complaints to the Better Business Bureau just change your business' name.

Re:Is rootkit Sony on the list?

[Kartoffel]

Exactly. The FTC needs to clearly define the penalties for doing business with "criminals". If I do business with Comcast (presumably, a known criminal entity) just what, exactly, am I liable for? Can I still buy a Sony PS3, or will there be additional fines for having done business with an criminal organization?

Re:Red Flag?

[EricWright]

Bad form... replying to self... get over it.

Not paying enough attention, I missed this link [ftc.gov] from TFA. This notice is all about identity theft, while the summary indicates that companies will be required to check customer lists against known criminals.

If someone steals my identity and uses it to buy something, it will be my name in the customer database, not the criminal's. How would checking the customer list help? As far as I know, I'm not a known criminal or terrorist.

Although, I guess I would (incorrectly) end up on the list after a hypothetical incident.

Re:Onerous Burden on Businesses?

[tha_mink]

This sounds like quite an onerous burden on businesses, and I imagine it will be struck down by the courts soon enough unless it's much narrower and specific a regulation than the story makes it appear. Private parties should not be expected to do the job of law enforcement.

It depends on how easy it is to do. I think for the most part, businesses that will be affected by this will probably want to insure that they are not helping criminals. I know I can speak for our business.

Plus, this thing kinda reminds me of the Payment card industry standard which, among other things, requires business that accept credit and bank cards to adhear to a strict policy of security when dealing with these cards. Every year, even on the smallest level, companies should be filling out a "self test" which requires you answer questions about your card security. Among the questions is a whole bunch of requirements you'd expect of a data center but not, say, a restaurant. Glass walls, biometric access, camera systems, etc. Fines start at $100,000 and you risk losing your ability to take credit cards. The published standard is here. [pcisecuritystandards.org]

I'm sure that 99% of small businesses that accept Visa/MC/AMEX etc have *no idea* about this standard and even if they did, they have no resources to adhear to it. That's why this "Red Flag" deal reminds me of it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

At last, a list I want to be on

[clovis]

It appears to me that if I get on that list it will greatly reduce my exposure to Identity Theft.

We're developing our program now

[Pagey123]

I work for a small community bank, and we are in the process of developing our program now. The regulations implement sections 114 and and 315 of the FACT Act. Section 114 requires all covered institutions to create and implement a written Identity Theft Prevention Program consisting of four elements: 1. Identification of Red Flags 2. Detection of Red Flags 3. Responding to Red Flags 4. Updating the Program To be covered, an institution must offer what is called a "covered account." A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. The regulatory bodies go on to offer guidance on 5 categories of potential Red Flags, including: 1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; 2. The presentation of suspicious documents; 3. The presentation of suspicious personal identifying information, such as a suspicious address change; 4. The unusual use of, or other suspicious activity related to, a covered account 5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. Section 114 also requires the issuer of a debit or credit card to verify the vailidity of an address change followed by the request for a new, additional, or replacement card if requested within 30 days of the address change. In other words, if you receive a request for a new card within 30 days of an address change, you are required to validate the address change with the customer to be sure it is indeed a valid request before mailing the new card. Section 315 requires the users of consumer reports (i.e., credit reports) to verify the identity of the consumer if the report notes a substantial difference in the address provided by the institution versus the address last on file with the Credit Reporting Agency. This applies only if a continuing relationship is established with the consumer. One of the ways to comply with Element 2, detecting Red Flags, is to use various software programs (such as those for BSA/AML) or databases to run checks against, but the regulations clearly state that the program must be appropriate for the size of the institution and the scope of its operations. I highly doubt they'll expect mom & pop types institutions to deploy extraordinary measures to verify that Jim Bob is not a terrorist. Now, if you're Bank of American or Fifth Third, for example, you'll be expected to do a little more. Also note that bank's service providers are required to have a Red Flags program in place. Meaning if I am generating mortgage or auto loans for a financial institution, I'm required to detect and respond to Red Flags, and the bank is required to assess my program. Hope this helps!

eBay screwed!

[Dahamma]

Wow, this would exclude half of eBay's customer base...