If information is the new world currency, then debt collectors probably want to collect as much information as they do cash from consumers. But the data security sphere comes with its own expansive – and evolving – set of compliance standards, especially when a third-party vendor deals with consumer information. Unfortunately, there are vendors out there making claims that, under closer scrutiny, don’t pass muster. At Tuesday’s webinar “Third Party Risk and Due Diligence,” TECH LOCK President and CEO Todd Langusch explained what to look for, what to ask, what to expect and what to avoid when contracting vendors that come in contact with consumer data.
A breach of your company’s system doesn’t mean you have no security in place; but on the other hand, the fact that there hasn’t been a breach doesn’t mean you have enough security in place. This uncertainty is clearly reflected in the market. According to the Ponemon Institute, in the field of medical collections alone, only 30 percent of companies were confident that vendors were appropriately guarding patient data. And on top of federal regulations surrounding data security (PCI-DSS, the Gramm-Leach-Bliley Act, etc.) state governments are creating their own regulations to protect consumer information.
Fortunately, Langusch identified a series of steps collection agencies can take to identify and fix any vulnerabilities in their data systems. For example, data security needs to be a top-down priority where a collection agency’s board of directors and/or governing body takes a more direct role in compliance. Langusch said this is a high priority for the Consumer Financial Protection Bureau.
“They have instances where the highest governing body hasn’t approved service providers,” he said. “They just checked a box.”
Once your agency’s higher-ups are actively involved in the vendor selection process, companies should grill potential vendors on a series of questions regarding risk assessment, security awareness, oversight, encryption and more. TECH LOCK has developed a questionnaire that covers 55 areas of data security compliance.Download this Free Report Now
“Always, 100 percent, do a data flow diagram in your third party risk assessment,” Langusch said. “It’s okay for them to send a certification, but you have to correlate it. It’s the only way to show due diligence.”
Todd Langusch is President and CEO of TECH LOCK Inc. TECH LOCK is a proud sponsor of ARM-U (October 14-15; Washington, DC OR online). Join Todd at ARM-U as he discusses the in-depth features of a solid compliance management system with Rozanne Andersen of Ontario Systems and Lacey Jensen of Columbia Ultimate. Seats are still available; or you can register online and have your entire office watch a live simulcast of the educational panels and presentations.