Data Breaches & Data Privacy in the ARM Industry
Data privacy and security continue to be increasingly important points of consideration for businesses, healthcare systems, schools, government organizations, financial institutions, and others. Anywhere with digitally stored sensitive data— even retailers, cell phone providers, etc.– must carefully plan for cybersecurity and understand the risks. In the US, we’ve seen recent high-profile ransomware situations impact countless businesses and citizens (the Colonial Pipeline breach, for one example), causing profound financial losses.
As data management systems continue to evolve and become increasingly integrated and cloud-based, the potential for leaky access points, human user vulnerabilities, and consequential damage from data breaches carries increasingly significant weight. Educating employees, analyzing and improving processes, and monitoring systems can all play a role in helping to prevent data breach disasters.
Sensitive Data & Nonpublic Information (NPI)
Some of the more well-known financial services and healthcare companies that have suffered from major data breaches in recent years include Equifax, Anthem, and JPMorgan Chase, among others. Consumer finance companies generally have access to a wealth of NPI, or nonpublic personal information while healthcare organizations also have access to sensitive personal medical information. For reference, the FTC defines NPI as follows:
- any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
- any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
- any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).
NPI does not include information that you have a reasonable basis to believe is lawfully made “publicly available.” In other words, information is not NPI when you have taken steps to determine:
- that the information is generally made lawfully available to the public; and
- that the individual can direct that it not be made public and has not done so.
- For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be “publicly available.”
Receivables management businesses handle NPI as well as payment information and must be highly sensitive to the need for secure infrastructure and policies in addition to having plans for prevention, detection, and handling of potential data security threats, events, or actual data breaches. In addition to protecting consumer privacy and businesses, employees should also understand that privacy practices are regulated by certain government and private entities.
Privacy Requirements in the ARM Space
The Federal Trade Commission (FTC) and other government agencies regulate financial institutions– including debt collectors– for the enforcement of financial privacy requirements. One of those requirements as set forth by the Gramm-Leach-Bliley Act, for example, includes the provision of privacy notices about privacy practices. These might be referred to internally as “GLB letters” or something similar. Further, receivables management companies working with medical debt must also comply with medical record privacy laws including HIPAA.
As companies that process payments from consumers, PCI-DSS compliance is also required, though this is enforced by payment industry stakeholders as opposed to the government. Some businesses may choose to utilize 3rd party vendors to mitigate risk or not have to store payment data, while others may use internal systems. Regardless, security and internal controls must be carefully considered.
Prevention, Detection, and Preparedness
According to the Identity Theft Resource Center, in the financial services sector alone, there has been an average of around 25 data breaches monthly from 2017-2021; those are only the ones that were detected and reported. It’s likely not a question of “if” a business will be targeted, it’s a question of “when” and “how.” Businesses must prepare in several key ways, perhaps even including reserved funds to help remediate risks and losses in case of such an event.
Some of the most common threats still include phishing and ransomware. It’s important to continue to provide employee training and reduce stigma to promote honest reporting of any possible events (e.g. clicking on a “bad link,” etc.). Hackers often rely on employee distraction as an access gateway, so the team as a whole should remain alert to potential threats. IT protection techniques also include system authentication, data encryption, user access control, and firewalls. Other factors to consider include public versus private cloud storage and any possible configuration errors.
In a presentation at the 2020 RMAI Annual Conference entitled “Cybersecurity and Data Breach Response,” tips include archiving or unplugging old records, utilizing multiple vendors and scanning overlap for early detection, and conducting routine “stress tests” to prepare for any possible events.
To learn more about cybersecurity, there are a wide variety of private resources available including podcasts such as Cyber Work or What the Hack with Adam Levin as well as websites such as InfoSecInstitute. The Cybersecurity and Infrastructure Security Agency (CISA) also provides quick links with guidance and resources.
To learn more about the ARM industry as a whole, follow Receivables Info on Facebook , LinkedIn, and YouTube. Be sure to also check out our Money Chat series for more ways to stay financially literate while exploring the receivables landscape.
The information contained in this article is meant to serve as general guidance for entry-level to mid-level ARM industry professionals and is not meant to serve as comprehensive business, legal, or financial advice.