Opinion: Your data needs more protection from shady debt collectors

HBO's John Oliver shined a light on tricky debt collection practices. How agencies often mishandle debtors' sensitive personal information – and the lax standards for how this information should be treated – is equally troubling.

Georgia woman Stephanie Maple kept notes about calls she got concerning collection on a debt her husband doesn't remember having. One debt collector illegally told her the agency would take her house and send her husband to jail if they didn't pay an old debt.

Melanie Stetson Freeman/The Christian Science Monitor

June 10, 2016

John Oliver wasn’t optimistic during his June 5 “Last Week Tonight” segment on debt collection. Shady brokers use aggressive, unethical, and legally problematic tactics to bully cash-strapped Americans into paying money they may not even owe anymore. As bleak as that sounds, Mr. Oliver only hinted at the even deeper trouble people could find themselves in, if brokers mishandle their sensitive information.

Debt agencies often use Microsoft Excel spreadsheets, containing a debtor’s name, Social Security number, address, and other information that could give criminals all the information they need to perpetrate identity theft, fake phone solicitation, and other types of fraud. If that sounds unbelievably sketchy, that’s because it is.

But isn’t there some kind of measure in place for protecting the data that resides in those spreadsheets? Yes, kinda. Though it’s clear those measures have substantial loopholes that could allow your personal information to fall through the cracks. If tougher penalties were in place, however, it’s likely that firms wouldn’t even consider engaging in this kind of activity at all.  

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

Some regulation do exist

Spreadsheets and other information portfolios are covered under the Gramm-Leach-Bliley Act, which states that covered entities are required to maintain, protect and secure consumers’ records and information. But the safeguards are short on specifics, only requiring that firms assign at least one employee to protect data, that they develop a program capable of protecting that data, and update company policy when necessary. Those are broad provisions that could make it possible for companies to be compliant while not actually doing everything possible to protect debtor information.

Debt buyers are exempt from sending the annual privacy notices like the kind you might get from your bank. This is ostensibly because issuing so many notices caused too many headaches for these businesses, after they received floods of calls from recipients who were confused about the purpose of the letter. Though they are required to send an initial privacy statement, which outlines a debt buyers’ privacy policy and whether they share information with third parties.

The Federal Trade Commission (FTC) does go after debt buyers that fail to practice adequate data security measures or who sell data directly to scammers. But it’s not often enough, and these collection agencies are not held to a high enough standard when it comes to handling your data.

In one instance, the FTC went after a debt broker accused of publicly posting the sensitive personal information of more than 70,000 people without encryption, redaction or any other form of protection. Those spreadsheets were viewed at least 500 times, according to the FTC.

In February, a group of debt agencies settled with the FTC  over charges they misled customers about how easy it would be to get a loan, then “knowingly provided scammers” with Social Security numbers and bank account information on hundreds of thousands of people. That made it possible for scammers to steal millions of dollars from the accounts of already broke Americans, the FTC alleged. The penalty? A $4.1 million fine against one debtor and $5.7 million in suspended fines against three others.

Howard University hoped to make history. Now it’s ready for a different role.

Standards aren't high enough

In many states, debt buyers and collection agencies aren’t even required to have a license or bond, and regulations for interstate collections are even spottier. There are almost certainly a whole slew of mom and pop companies whose practices may be problematic, but not so much so as to draw attention, or fines, from federal authorities. And it’s not uncommon for debts to be sold multiple times to different companies, so even if your information is safe with one agency, it might not be the same story elsewhere. 

It’s likely that the cases pursued by the FTC are merely the ones that are so egregious that the FTC can’t look away. Countless smaller companies, who deal with only a handful of portfolios, may escape official notice entirely. It’s likely that the cases pursued by the FTC are merely the ones that are so egregious that the FTC can’t look away. Countless smaller companies, who deal with only a handful of portfolios, may escape official notice entirely. 

Ideally, purchasing debt would also require a license in all 50 states. The Gramm-Leach-Bliley Act requires debt buyers follow a Written Information Security Program, a regulation that forces companies to clearly define how they implement technical and physical security. Requiring an audit of that plan would go a long way toward raising the cost of entry so that debt buyers act like legitimate businesses, rather than as bullies who care little for the damage they do to a person’s life.

When it comes to oversight, there is a silver lining. It’s that the companies who acquire the freshest debts may be the biggest companies, and thus the most likely to be scrutinized. So if a debt buyer or collection agency starts bugging you, it’s best to work as quickly as possible to resolve the situation. That way you can make sure your information doesn’t fall into the hands of less-reputable brokers.

If you discover that your information has been given to a debt broker or collection agency, here are some tips to help you get your situation resolved promptly:

Verify the debt

It’s important to verify in writing what information debt buyers have on you, especially since they often have incomplete or outdated information that has already been sold to multiple brokers.

The Fair Debt Collection Practices Act covers what collectors must do to verify your information. It’s a good idea to contact the original creditor to confirm that they have sold your account, and to whom. The debt may have been passed off after the initial sale, but it’s important to investigate where it went next and if you can stop it from being sold again. If the account is through a healthcare facility or insurer, it’s especially important to go to that organization directly in order to decrease the necessity for any additional information to be shared with the broker.

Document everything

It’s always a good idea, especially in case you need to take legal action, to request all information in writing. Be sure to store that documentation securely, both with some form of encryption and by backing up any digital copies. All that takes is an external hard drive and/or teaching yourself how to use free encryption services meant to shield your data.  

Check your credit report early and often

If fraudulent accounts or charges have been made in your name, checking your credit report may indicate a problem before collectors contact you. By checking with all three credit bureaus regularly, you can spot inaccuracies quickly and either stop creditors from contacting you or at least reduce the level of surprise when they do. Also, keep in mind credit report records sometimes take several months to update, so the absence of collection accounts does not mean you’re totally in the clear.

The Identity Theft Resource Center website has excellent, detailed instructions to help you stop the collection process and correct your record.

It’s troubling  to find yourself at the mercy of these debt collection agencies. But it’s not an issue you can ignore, even if it’s clear the company is operating on erroneous information. By acting quickly, and documenting every interaction, you can minimize the risk to yourself and your credit rating. Until the FTC dedicates more resources to fighting back on behalf of all Americans, it’s the only thing you can do.

Lysa Myers is a security researcher at ESET. Follow her@LysaMyers.