National SOC Month

Exceeding Data Security Regulations

  • Written by Mark Naiman and Jan Stieger

Data security is an increasingly vital component of professional collections. A large amount of data is exchanged on a regular basis, from credit reports to scrubs to sales files. Collections leaders, even those who are not technologically inclined, have found it necessary to take important steps to understand how data flows through the organization and where files are stored. It is essential that company officers continue to take on accountability when it comes to data security. After all, data is often considered, at the same time, a company’s most valuable asset and one of its greatest vulnerabilities. Proper data security serves not only the consumers’ interests, but also protects the collector on reputational, financial, and legal fronts.

Generally when we picture a data security threat, we think of outside dangers such as malware, ransomware, social engineering or phishing attacks. These threats can be mitigated with awareness and employee training, as they rely heavily on the target’s carelessness or naiveté. Everyone should be aware of these risks in order to minimize vulnerability as much as possible.

There are several data security vulnerabilities that companies have a relative amount of control over, such as inadequate employee training, complacency, lack of organizational commitment, and lack of expertise. These, and all, aspects of data security should be addressed from day one, and committed to every day thereafter.

RMA’s Certification Program requires company adoption of policies and procedures that address and mitigate these various risks, as data security is integral to any compliance management system. These policies and procedures are required to meet or exceed state and federal laws and regulations. RMA recommends receivables management companies undergo the following internal data security measures:

• The appointment of a Chief Compliance Officer, in part to ensure accountability. If a critical security control fails, it must be reported internally up the chain.

• Penetration testing for service providers on a regular basis.

• Due diligence to establish that vendors adhere to (or exceed) the same level of data security.

• An annual risk assessment and any adjustments made based on the results.

• Internal and third-party audits of the company’s entire compliance management system.

• Data back-ups that are located offnetwork.

• Establishment of a continuity plan outlining how the company will recover and mitigate damages of a potential breach.

“Confidential consumer information” includes more than just personal identifiable information such as card numbers, social security numbers, and driver’s license numbers. In fact, under the FDCPA, the existence of a debt and the status of that debt must not be disclosed to third parties unless allowed for as a permissible purpose. Those who collect medical debt should be aware that consumer healthcare information is also protected under HIPAA, such as medical conditions, prescriptions, medical procedures, and doctors. Finally, a company’s own information should also be protected under many layers of security, as a great deal of company data is confidential, including payroll, financials, background checks, employment, sales strategies and product strategies.

During the purchase and sale transaction and portfolio valuation, it is essential to demonstrate due care for protection of confidential consumer information. RMA worked closely with the Federal Trade Commission (FTC) to create best practices in the sharing of portfolio data. Best practices would necessitate:

• The buyer and seller execute a mutual Non-Disclosure Agreement (NDA) that is valid for a minimum of two years. The NDA should include the requirement to maintain cyber security liability insurance, agreed upon remedies in the event of a breach, and the methodology for the data file to be returned and/or destroyed.

• The seller encrypt appropriate data fields.

• Files be transferred via a secured transmission methodology and be password protected. Data files and passwords should be sent via different communication vehicles.

• A seller that transfers data with personally identifiable information to maintain a pre- and post-sale file transfer log.

While data security encompasses a broad range of measures, the application of these measures is not as abstract as one may think. Chief Compliance Officers are encouraged to undergo enhanced training on data security, not only to maintain the company’s compliance management system, but also to provide checks and balances with the IT department. No one individual should have unrestricted access to “the keys to the kingdom”. Collections employees should be hired only after passing a background check, and employees should be regularly trained on the importance of the data they are entrusted with, as well as best practices to maintain data security.

Mark Naiman is President/CEO of Absolute Resolutions Corp., and currently serves as President on the Board of Directors for Receivables Management Association.

Jan Stieger, CAE, serves as Executive Director of Receivables Management Association, the trade association representing nearly 550 member organizations in the accounts receivable industry.