September 29, 2023
September 29, 2023
Data breaches are no joke, and many collection agencies have learned it the hard way—with pricey settlements or even facing bankruptcy as a consequence. A data breach usually involves the leak of user data such as names, email addresses, and passwords. The second quarter of 2023 saw a 156% increase in data breaches globally, with North America leading as the most affected region, according to a new report published by Surfshark and shared by our friends at Accounts Recovery. The United States accounted for 49.8 million leaked accounts in Q2.
The disturbing data highlights the importance of taking data protection measures for collection agencies in the U.S. In a time dominated by digital transactions and interactions, it’s hard to overstate the significance of data security.
For collection agencies, which handle sensitive financial and personal information on a consistent basis, maintaining strong data security measures is not just a legal requirement; it’s a critical aspect of building trust with clients and safeguarding sensitive information.
How can collection agencies better protect their customers’ data and prevent a breach? How should agencies prepare themselves in the event of a breach? What’s a good incident response plan? In this article, we’ll answer these questions and also provide notable examples of data breaches at debt collection agencies in recent years.
The best-known U.S. law for enforcing the protection of sensitive patient health information is HIPAA. However, there are several other laws that enforce data security for ARM companies.
The Gramm-Leach-Bliley Act (GLBA) is the main privacy law aimed at financial institutions, including collection agencies, and it has been updated with two rules: the Safeguards Rule (2003) and the Final Rule (2021). The latest update to the law includes new requirements, such as encrypting all customer information; multi-factor authentication; secure disposal of customer information; and security awareness training for the staff.
Other data protection and privacy laws collection agencies should be aware of are the Fair Credit Reporting Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act.
American Medical Collection Agency (AMCA) (2019)
In 2019, the third-party debt collection agency American Medical Collection Agency filed for bankruptcy in the aftermath of a data breach that affected at least 20 million U.S. citizens. Sensitive data such as social security numbers and credit card information were compromised in the breach. In 2021, the company reached a settlement with multiple states.
Professional Finance Company (PFC) (2022)
In 2022, Professional Finance Company (PFC), a Colorado-based collection agency, informed more than 650 of its healthcare provider clients that their data may have been compromised in a massive breach, which affected about 1.9 million patients. The information that was compromised included patient names, addresses, social security numbers, and health insurance data.
NCB Management Services (2023)
Earlier in 2023, the collection agency and debt buyer NCB Management Services said it was the target of a data breach exposing the sensitive information of nearly 1.1 million individuals. The company claimed that the attackers no longer had any of the information on their systems, possibly after an alleged ransom payment had been made.
Standards and Certifications
Following the relevant standards and seeking the relevant certifications for your business is a key starting point to ensure rigorous data security. One is the Payment Card Industry Data Security Standard (PCI DSS), the main information security standard used by the major card brands. ISO 27002 is an international standard that provides best practices on information security controls; ISO 27001 is a framework for implementing information security management systems (ISMS) to protect sensitive information. Additionally, SOC certifications provide assurance over a service organization’s controls, ensuring security, compliance, risk management, and transparency for stakeholders.
Encryption is crucial for both data storage and transmission. It protects the data from unauthorized use and can be implemented on data whether it’s in transit or at rest.
Limiting access to data within the company is a way to protect it from malicious parties. Depending on their roles and responsibilities, employees should have role-based access to sensitive data and documents.
Security Audits and Assessments
Security audits and assessments should be routinely conducted to ensure that the protection measures are up-to-date and effective. Keep in mind that third-party auditors are generally better than self-assessments, even though they are more costly. Audits can help you identify vulnerabilities and enable you to act fast and address them.
Security awareness training platforms such as Vanta and MetaCompliance offer easily digestible online training sessions to sensitize your employees to the importance of data security. These platforms can train employees to recognize phishing attempts, use diverse and strong passwords, etc.
As a collection agency, you’re likely using third-party vendors for several processes. Whenever you select and onboard a new vendor, always inquire into their data security practices, as they’ll likely have access to your consumers’ data.
Monitoring and Logging
By consistently tracking and recording all system activities and access, debt collection agencies can detect and respond to any suspicious or unauthorized activities. This proactive approach enables agencies to safeguard sensitive data and ensures compliance with regulations.
Incident Response Plan
What’s your collection agency’s incident response plan? What steps will you follow in case there is a data breach? You’ll need to notify the affected parties, work with regulatory bodies, and more.
There are several tools you can use to safeguard your collection agency’s data. Here we are listing the most important ones.
Intrusion Detection Systems (IDS): These systems monitor network traffic and can identify malicious activities or unauthorized access to your data. Whenever the system detects a threat, it sends an alert or takes action to stop it.
Firewalls: These are barriers between your internal networks and external ones, monitoring traffic between the two. They’re a good first line fo defense against cyber-attacks.
Data Loss Prevention (DLP): These solutions can detect unauthorized sharing of sensitive data by monitoring your data whether it’s at rest, in motion, or in use.
Multi-factor Authentication: One of the most “annoying” measures, MFA requires your employees to take multiple steps to log into your systems rather than only relying on a password.
API Security: Given that every cloud-based system is heavily dependent on API-based integrations, API security is another topic you will want to dive deeper into when securing sensitive data.
At Skit.ai, we are deeply committed to protecting our clients’ sensitive data and ensuring the privacy of their consumers. From encryption for data at rest and in transit to the ISO 27001: 2013 certification, from strict access management to physical security controls, we’ve implemented multiple measures to ensure maximum data protection.
If you would like to learn more about it, reach out to one of our experts using the chat tool below!
Tax season is the busiest time of the year for collection agencies. According to a recent report, 44% of Americans say they earmark their tax refunds to pay off their debts or bills. With 3 in 4 U.S. residents receiving a tax refund from the government during this season each year, the number of people […]
What Are Connect Rate and Right-Party Contact (RPC)? Debt collection agencies invest time and resources in getting in touch with consumers. In theory, all it takes for a collector to speak with a consumer is to hit the call button, but in reality, it’s not that simple; oftentimes, the number is wrong, the consumer does […]