The Electronic Privacy Information Center (EPIC), a “public interest research center in Washington, D.C. [that] focuses public attention on emerging civil liberties issues,” sent a 20-page recommendation to the Federal Trade Commission with a lot of feelings that boil down to this:
The collection industry cannot be trusted with social security numbers or email. Please make them stop using both.
This particular bow-shot was fired on May 27, and EPIC categorically makes the above point again and again. It was written in response to the FTC’s April panel discussion, which looked at how advances in technology could effect the collection industry. EPIC is worried that the FTC might allow collection agencies to use email, text, and social networking as avenues for contacting debtors.
“Uh, no, I don’t think so,” is the nature of EPIC’s response.
EPIC’s paper starts with an overview of skiptracing in the industry, laying the ground for their later stance against the use of social security numbers. It then moves on to reminding the FTC that they actually have the power — up to now unused — to be better regulators of the industry. “You guys, the Fair Debt Collection Practices Act! And the Federal Trade Commission Act! And the Gramm-Leach-Bililey Act! And why aren’t you using these? Do we have to do everything? Sheesh!”
Then, of course, they go where these conversations always go: into a section called “The Debt-Collection Industry Has a History of Systematically Violating the FDCPA, Section 5, and the Gramm-Leach-Bliley Safeguards Rule.” Because of course it’s the whole industry (no it isn’t), and because they have FTC complaint stats (which we’ve already covered), and because data brokers are the same thing as debt collectors (no, they’re not).
The data broker thing comes into play because EPIC spends several paragraphs exploring the role of data brokers. They do this by opening with, “Debt collectors have a checkered past complying with FTC regulations.”
But, where you’d expect them to then launch into examples of said checkered past (and this is not to say that some wrong-doing agencies out there don’t have checkered pasts, because they do, and EPIC has some examples), they instead want to talk about complaints against data brokers. Data brokers, for the record, aren’t accountable to the FDCPA. Data brokers, also for the record, aren’t debt collection agencies. Abuses in that area should not be used in an argument about collection agencies.
When EPIC finally does get to abuses that are directly attributable to agencies in the industry, they’re pretty damning. For instance, one agency created a website with a consumer’s name in the URL that led to a site reading “[redacted] isn’t paying for her Cavalier!” A couple of other agencies misused MySpace in communicating with a debtor.
Again, though: this isn’t the whole industry doing this. These are examples of individual companies rightly getting caught and rightly facing consequences for their actions.
The meat of EPIC’s missive comes on page 11, Section IV: “The FTC Must Develop Proactive Regulations and Take Meaningful Enforcement Actions With Effective Sanctions to Deter Non-Compliant Behavior Going Forward.” It’s here that EPIC provides its own helpful hints and strategies for regulating the collections industry:
“EPIC recommends that the FTC clarify that its Guidance Document for complying with the Gramm-Leach-Bliley Safeguards Rule is mandatory. EPIC also recommends the agency to clearly state that the FDCPA, as it is currently constituted, prohibits contacts between debt collectors and consumers via social networking sites, text messaging, or email. Finally, EPIC recommends finding that the industry’s current use of Social Security numbers constitutes an unfair trade practice under Section 5a of the FTC Act. EPIC urges the agency to pursue meaningful enforcement actions that hold debt collectors accountable for unlawful activity.”
Furthermore, EPIC provides a bulleted list written by the FTC back in 2002 that the consumer protection agency would like to see back in action:
- Checking references or doing background checks before hiring employees who will have access to customer information
- Limiting access to customer information to employees who have a business reason to see it
- Locking rooms and file cabinets where records are kept
- Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data
- Reporting suspicious attempts to obtain customer information to designated personnel
- Avoiding the storage of sensitive customer data on a computer with an Internet connection
- Ensuring that customer information is only stored on a computer with a “strong” password, kept in a physically-secure area
- Maintaining a careful inventory of the company’s computers and any other equipment on which customer information may be stored.
- Encrypting any sensitive data transmitted over the Internet, for instance by email
- Disposing of customer information in a secure way and in compliance with the FTC’s Disposal Rule
- Designating or hiring a records retention manager to supervise the disposal of records containing customer information
- Maintaining up-to-date and appropriate programs and controls to prevent unauthorized access to customer information
- Keeping logs of activity on internal networks with access to sensitive data and monitoring them for signs of unauthorized access to customer information
EPIC is also, as mentioned earlier, firmly against consumers using email or text to communicate with collection agencies — even if that’s something the debtor would prefer. (They’re also against using social media sites like Facebook, Twitter, and MySpace — and I find myself on the side of EPIC here. Those are inherently rife with FDCPA violations in ways that email and text messages are not.) According to EPIC, “A number of these services record and store communications by default, which renders such communications accessible to third parties who share devices or accounts with the consumer.” This would seem to suggest that EPIC feels that the beginning of the end for consumer protection was allowing collection agencies to communicate via letter, and it isn’t about to allow this new affront to stand.
EPIC closes with more concerns about social security numbers. Their fear is that reckless agencies will allow this data out into the world, compromising the identity of anyone held in a database. “The FTC should find that using Social Security numbers as primary identifiers in an industry that routinely loses and often fails to safeguard consumer information constitutes an ‘unfair trade practice.’” To be fair to EPIC, they’re against any company storing social security numbers or using them as identifiers.
EPIC’s recommendations are just that: recommendations. That they wrote a 20-page letter to the FTC doesn’t mean that the FTC will implement it tomorrow. However, it should also be kept in mind that EPIC has worked closely in the past with the FTC on other issues surrounding consumer protection. The more they can frame the argument as threats to consumer protection, the more likely it might be that the FTC will not just listen, but enact.