The Importance of Data Security for Debt Collection Agencies

Data Breaches Are No Joke, and They’ve Been Spiking

Data breaches are no joke, and many collection agencies have learned it the hard way—with pricey settlements or even facing bankruptcy as a consequence. A data breach usually involves the leak of user data such as names, email addresses, and passwords. The second quarter of 2023 saw a 156% increase in data breaches globally, with North America leading as the most affected region, according to a new report published by Surfshark and shared by our friends at Accounts Recovery. The United States accounted for 49.8 million leaked accounts in Q2.

The disturbing data highlights the importance of taking data protection measures for collection agencies in the U.S. In a time dominated by digital transactions and interactions, it’s hard to overstate the significance of data security.

For collection agencies, which handle sensitive financial and personal information on a consistent basis, maintaining strong data security measures is not just a legal requirement; it’s a critical aspect of building trust with clients and safeguarding sensitive information.

How can collection agencies better protect their customers’ data and prevent a breach? How should agencies prepare themselves in the event of a breach? What’s a good incident response plan? In this article, we’ll answer these questions and also provide notable examples of data breaches at debt collection agencies in recent years.

Data Security: Legal and Regulatory Requirements

The best-known U.S. law for enforcing the protection of sensitive patient health information is HIPAA. However, there are several other laws that enforce data security for ARM companies.

The Gramm-Leach-Bliley Act (GLBA) is the main privacy law aimed at financial institutions, including collection agencies, and it has been updated with two rules: the Safeguards Rule (2003) and the Final Rule (2021). The latest update to the law includes new requirements, such as encrypting all customer information; multi-factor authentication; secure disposal of customer information; and security awareness training for the staff.

Other data protection and privacy laws collection agencies should be aware of are the Fair Credit Reporting Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Notable Examples of Data Breaches at Debt Collection Agencies

American Medical Collection Agency (AMCA) (2019)

In 2019, the third-party debt collection agency American Medical Collection Agency filed for bankruptcy in the aftermath of a data breach that affected at least 20 million U.S. citizens. Sensitive data such as social security numbers and credit card information were compromised in the breach. In 2021, the company reached a settlement with multiple states.

Professional Finance Company (PFC) (2022)

In 2022, Professional Finance Company (PFC), a Colorado-based collection agency, informed more than 650 of its healthcare provider clients that their data may have been compromised in a massive breach, which affected about 1.9 million patients. The information that was compromised included patient names, addresses, social security numbers, and health insurance data.

NCB Management Services (2023)

Earlier in 2023, the collection agency and debt buyer NCB Management Services said it was the target of a data breach exposing the sensitive information of nearly 1.1 million individuals. The company claimed that the attackers no longer had any of the information on their systems, possibly after an alleged ransom payment had been made.

What Are the Best Practices for Data Security?

Standards and Certifications

Following the relevant standards and seeking the relevant certifications for your business is a key starting point to ensure rigorous data security. One is the Payment Card Industry Data Security Standard (PCI DSS), the main information security standard used by the major card brands. ISO 27002 is an international standard that provides best practices on information security controls; ISO 27001 is a framework for implementing information security management systems (ISMS) to protect sensitive information. Additionally, SOC certifications provide assurance over a service organization’s controls, ensuring security, compliance, risk management, and transparency for stakeholders.

Encryption

Encryption is crucial for both data storage and transmission. It protects the data from unauthorized use and can be implemented on data whether it’s in transit or at rest.

Access Controls

Limiting access to data within the company is a way to protect it from malicious parties. Depending on their roles and responsibilities, employees should have role-based access to sensitive data and documents.

Security Audits and Assessments

Security audits and assessments should be routinely conducted to ensure that the protection measures are up-to-date and effective. Keep in mind that third-party auditors are generally better than self-assessments, even though they are more costly. Audits can help you identify vulnerabilities and enable you to act fast and address them.

Employee Training

Security awareness training platforms such as Vanta and MetaCompliance offer easily digestible online training sessions to sensitize your employees to the importance of data security. These platforms can train employees to recognize phishing attempts, use diverse and strong passwords, etc.

Vendor Management

As a collection agency, you’re likely using third-party vendors for several processes. Whenever you select and onboard a new vendor, always inquire into their data security practices, as they’ll likely have access to your consumers’ data.

Monitoring and Logging

By consistently tracking and recording all system activities and access, debt collection agencies can detect and respond to any suspicious or unauthorized activities. This proactive approach enables agencies to safeguard sensitive data and ensures compliance with regulations.

Incident Response Plan

What’s your collection agency’s incident response plan? What steps will you follow in case there is a data breach? You’ll need to notify the affected parties, work with regulatory bodies, and more.

When It Comes to Data Protection, Technology Is Your Friend

There are several tools you can use to safeguard your collection agency’s data. Here we are listing the most important ones.

Intrusion Detection Systems (IDS): These systems monitor network traffic and can identify malicious activities or unauthorized access to your data. Whenever the system detects a threat, it sends an alert or takes action to stop it.

Firewalls: These are barriers between your internal networks and external ones, monitoring traffic between the two. They’re a good first line fo defense against cyber-attacks.

Data Loss Prevention (DLP): These solutions can detect unauthorized sharing of sensitive data by monitoring your data whether it’s at rest, in motion, or in use.

Multi-factor Authentication: One of the most “annoying” measures, MFA requires your employees to take multiple steps to log into your systems rather than only relying on a password.

API Security: Given that every cloud-based system is heavily dependent on API-based integrations, API security is another topic you will want to dive deeper into when securing sensitive data.

Conclusion: How Skit.ai Protects Consumer Data

At Skit.ai, we are deeply committed to protecting our clients’ sensitive data and ensuring the privacy of their consumers. From encryption for data at rest and in transit to the ISO 27001: 2013 certification, from strict access management to physical security controls, we’ve implemented multiple measures to ensure maximum data protection.

If you would like to learn more about it, reach out to one of our experts using the chat tool below!

Leveraging Cognitive Science to Improve CX with Voice AI

How Human Cognition Impacts the Way Users Interact with Voice AI

When developing and configuring a conversational Voice AI solution, it’s imperative to take into account the experience that end-users will have when interacting with the solution. No matter what the use case is, users should be able to utilize the voicebot to reach a satisfactory resolution, while also having a pleasant experience.

CX is one of the elements that drive the work of Conversational User Experience (CUX) Designers, who ask themselves multiple questions when designing a Voice AI solution: Who is the client and what is its brand identity? What target persona will be interacting with the voicebot, and what use cases will the solution help them with?

To maximize the quality of the user experience and the consequent CX, conversation designers take into account cognitive science. The goal is to design intuitive, effective, and engaging interactions; cognitive science can provide insight into how users process information, make decisions, and interact with technology.In order to understand the role of cognitive science in CUX, we must first define the term “cognitive load.” According to the American Psychological Association, cognitive load (or mental load) is the “relative demand imposed by a particular task, in terms of mental resources required.” As humans, we can only hold so much information in our minds at any given time; our minds are limited, and we can’t overload them. That is why minimizing the cognitive load plays an important role in ensuring a positive user experience.

Let’s analyze these aspects one by one:

Natural language processing: CUX designers take into consideration the way users process language, including speech recognition and text-to-speech conversion, as well as the interplay between different elements of speech, such as prosody, pitch, emphasis, and the consequent tonality, which further contributes to perceptual and contextual semantics. NLP is essential for building effective conversational systems. This process also includes researching and implementing algorithms that accurately recognize and respond to human speech.

Memory and recall: The user’s ability to remember and recall information when necessary is essential to conversation design. The cognitive load is directly affected by the complexity and quantity of the information given to the user. Designers consider how the information is presented and stored, and ensure that users can easily and quickly retrieve it.

Attention and distraction: Understanding how people allocate their attention, what contributes to selectivity in attention in a given context, and how easily users can be distracted. Designers must structure the conversation to keep the user’s attention focused on the task at hand, resulting in better engagement and performance.

Emotion and motivation: Emotions play a significant role in shaping human behavior and decision-making. Designers consider how users may feel about the interaction and how to motivate them to engage with the voicebot. Secondary UX research about user demographics and socio-economic and geo-cultural backgrounds can provide valuable insights to improve CX.

Decision-making and problem-solving: Conversations often involve decision-making and problem-solving, and understanding how people process information and make decisions is crucial for effective conversation design. Factors include biases, heuristics, and cognitive load.

How Do You Reduce Cognitive Load in Conversation Design?

What are the best ways for conversation designers to reduce the users’ cognitive load in a conversation with a Voice AI solution, consequently improving the customer experience? Here are some guidelines you can follow:

Simplify prompts and confirmations: Using as few and simple prompts and confirmations as possible helps reduce the need for users to remember and respond to multiple options, ultimately leading to an optimal cognitive load and user experience. This is easier to accomplish with a well-designed conversational Voice AI than with legacy technologies such as IVR systems, in which users are forced to listen to long menus of mostly irrelevant options.

For example, a legacy IVR system will offer a lengthy menu of options, such as: “For your account balance, press 1; for information on your upcoming payment, press 2; to update your personal information, press 3 … To hear this options again, please press #.”

Instead, a Voice AI solution will simply ask: “How can I help you?”

Another example is the prompt for a user’s date of birth. A poorly-designed voicebot will say: “Please enter your date of birth in the following format—two digits for the month, two digits for the day, four digits for the year,” or a similarly lengthy and confusing prompt.

Instead, a well-designed voicebot will ask: “Could you please say or enter your date of birth?”

Use natural language: Use natural language and avoid complex sentence structures to reduce the cognitive effort required to understand the conversation.

See below an example that highlights the difference between a more robotic language choice and an alternative with more natural-sounding language.

Robotic language: Unfortunately, the payment amount that you have given is less than the acceptable minimum amount of $50. Can you please state an amount that is equal to or higher than $50?”

Natural-sounding language: “Sorry, but the minimum we can accept is $50. Can you please tell me how much above that amount you can afford to pay today?”

Provide clear cues: Open-ended questions can prompt a multitude of responses from the users; the voicebot might not understand many of the possible answers. Therefore, using clear cues to indicate when the user should speak, and using audio cues to confirm that the system has understood the user’s response should be adopted as a standard practice.

For example, here’s what the Voice AI solution will say to negotiate a payment plan: “We offer a choice of 2-month, 4-month, and 8-month payment plans. Which payment plan would you like?”

Another way to provide clear cues is the use of an audio signal informing the user that something is happening; in jargon, this is knows as an “earcon” (a brief, characteristic, harmonized and structured sound and its job is to communicate a specific message, event, status to a user or convey a task being performed).

This type of audio signal gives the user a cue that something is happening (e.g. a payment is being processed), instead of just having plain silence, which can lead to confusion. An earcon, for example, could be the sound of someone typing on a keyboard, which signals that the information is being processed.

Use progressive disclosure: Progressive disclosure is a strategy in interaction design to reveal information gradually and start only with the most essential information. Providing information to the user in a step-by-step manner, rather than overwhelming them with too much information at once, leads to increased engagement and enhanced experience.

See the example below:

Voicebot: “To set up a payment plan, can you tell me how much you are comfortable paying each month?”

User: “$60.”

Voiebot: “Thanks! Based on a $60 monthly payment, we can set up a payment plan with a duration of 4 months. Your payment plan will start on the next billing cycle. How does that sound?”

The reiteration of the monthly payment amount also serves as an implicit confirmation.

Contextual design: Using context to guide the conversation reduces the need for the users to provide additional information. For example, just as we do when we talk with a waiter at a restaurant, if the user has already provided their name, the system should use that name in subsequent interactions. As the conversation progresses, the voicebot will have more and more context and will be able to utilize the information it has collected to improve the user experience.

The voicebot shouldn’t just rely on context of the specific conversation taking place, but also on the context of previous interactions with the same user. Acknowledging previous interactions is a good idea.

Test and iterate: Testing the bot’s conversations with users and iterating the flows based on their feedback helps improve the user experience (UX) and reduce the cognitive load. The conversation flow can be optimized based on the different users’ needs. Additionally, different types of debt, different users, different demographics often require slightly different approaches.


There is no doubt that leveraging cognitive science in the design and development of conversational Voice AI solutions can significantly enhance the customer experience (CX).

By understanding how human cognition impacts user interactions, conversation designers can create intuitive and engaging interactions that reduce cognitive load, leading to more positive user experiences.

By applying these insights and best practices, business can rely on voicebots to meet their customers’ needs and optimize the use of their own resources. As the technology continues to advance, the potential for Voice AI continues to grow.

Want to learn how Voice AI can transform your business? Use the chat tool below to schedule a meeting with one of our experts!