In the wake of a settlement with a debt portfolio broker over the public disclosure of sensitive consumer information, the FTC Wednesday published steps debt buyers and sellers can take to secure consumer data.
In a post on its Business Center Blog, the FTC discussed the case and offered seven steps participants in the secondary debt buying market can take regarding data integrity and security. The post is more casual than most FTC communications and is intended for a business audience rather than for consumers and media.
The seven steps suggested by the FTC:
1. Don’t disclose data publicly. Let’s face it. The data in your possession – account numbers, Social Security numbers, information about debt amounts, creditors, charge-offs, etc. – is the financial equivalent of plutonium. Powerful when used with proper safeguards in place, but hazardous in the wrong hands. That’s why there is simply no legitimate business reason for publicly posting your portfolios or making consumer information publicly available in any other way. You can advertise by mentioning specific categories of information you have, but don’t disclose the individual’s information. Period.
2. Store your portfolios securely. Keep paper copies in a locked room or in a secure cabinet. Limit employee access on a need-to-know basis. Electronic data needs fortification, too. Consider keeping portfolios in password-protected files and make sure all devices with access to the information have reasonable security measures in place – updated antivirus software, firewalls, and the like.
3. Minimize the amount of consumer information you share with prospective buyers. Potential buyers may need access to some of the sensitive data in a portfolio to evaluate whether they want to buy it, but keep it to a minimum. Provide only the data the prospective buyer needs and explain why sound security is in their best interest, too. Furthermore, don’t sell sensitive information to just anyone. Make sure they are who they say they are, and consider contractually requiring them to maintain reasonable safeguards.
4. Transfer data securely. When transferring data to a potential or final buyer, keep it secure. For example, encrypt the file or password-protect the portfolio. If you’re sending the file via email, don’t include the password in the same message.
5. Dispose of data safely. When you no longer need sensitive consumer information, get rid of it securely, using strategies to thwart dumpster divers and hackers. Don’t just throw away hard copies. Burn, pulverize, or shred them. For electronic files, simply clicking the delete button may not be enough. Take advantage of free and low-cost tools that will reduce the risk that a computer criminal can recreate a deleted file.
6. Have a plan in place in case there’s a breach. Whether it’s a misplaced file, a lost laptop, or a hack attack, the worst time to start thinking about a data breach is after you’ve experienced one. One key step in a compliance check-up is to put together an up-to- date file of “just-in-case” resources. For example, if there’s a breach, how will you contact affected consumers, businesses, and law enforcement? Most states have data breach laws with specific requirements. Be sure to consult all relevant laws.
7. Take advantage of free resources from the FTC. Evaluating your company’s practices doesn’t have to be a start-from-scratch process. The FTC has a to-the-point publication, Protecting Personal Information: A Guide for Business, with practical tips on securing sensitive data. Watch a 20-minute online tutorial that outlines the basics. Information Compromise and the Risk of Identity Theft includes steps to consider if you’ve experienced a data breach.