FTC Announces Settlement with Debt Brokers

The FTC announced today that it has settled two data breach cases with debt brokers. In complaints filed last year, the FTC contended the debt brokers posted consumers’ personal identifying information, including bank account information, credit card numbers, birth dates, and information about debts the consumers allegedly owed on public websites in an unencrypted manner.   See Federal Trade Commission v. Bayview Solutions, LLC, Doc. No. 1:14-cv- 01830 (D.D.C. Apr. 13, 2015); Federal Trade Commission v. Cornerstone and Company, LLC, Doc. No. 1:14-cv-01479 (D.D.C. Apr. 13, 2015). The FTC contended the disclosures violated the consumers’ privacy, put them at risk of identity theft, and exposed them to “phantom” debt collection, resulting in violations of Section 5 of the FTC Act and the Safeguard Rules of the Gramm Leach Bliley Act.  Under the Stipulated Orders, the debt buyers are required to establish, implement and maintain a written information security program in compliance with the Safeguard Rules which will be assessed, audited and certified periodically for twenty (20) years. 

Debt buyers and sellers should keep in mind that they are subject to Gramm Leach Bliley’s safeguard rules and are required to maintain, protect and secure consumers’ records and information. Under the Safeguard Rules, covered entities must develop a written information security plan (“WISP”) to protect customer information. The Rules require that the WISP be appropriate to the financial institution's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.  Covered institutions are required to:

·       designate one or more employees to coordinate the program;

·       identify and assess the reasonably foreseeable risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of current safeguards for controlling these risks;

·       design and implement a safeguard plan to manage the identified risks and regularly test or monitor such safeguards;

·       select and oversee appropriate service providers and require them (by contract) to implement safeguards; and

·       continue to evaluate the program and make adjustments in light of changes to its business arrangements or the results of its security tests.

The FTC has published its tips for keeping data secure for companies buying and selling debt:

·       Don’t publicly post or make consumer information publicly available when selling portfolios.

·       Store information securely.  The FTC recommends limiting access to only those employees who need access and maintaining data in password protected files.

·       Minimize the amount of information shared with potential buyers, verify their identities and insure they have safeguards in place to protect any information shared.

·       Transfer data securely using encrypted or password protected files.

·       Dispose of data safely.

·       Have a plan in place to deal with a breach and be familiar with any relevant state statutes governing data breaches.

·       Consult the FTC website for free information