If you’ve been following the FTC’s 50+ data security settlements, you know there are some places it’s not wise to leave sensitive information laying around – for example, in a dumpster behind a drugstore, in the trash near a payday loan company, or in an employee’s backpack. When it comes to financial information about consumer debts, the FTC has filed two lawsuits adding another location to that “Shouldn’t it be obvious?” list: in spreadsheets posted in plainly readable form on a website aimed at debt brokers, but publicly available to identity thieves, account fraudsters, Nosy Parkers, and whoever else happens upon the site.
California-based Cornerstone and Company and Florida-based Bayview Solutions, LLC are debt brokers that buy and sell portfolios of charged-off consumer debt for eventual collection by third-party debt collectors. One way they do that is on a website that serves as an interactive marketplace where members of the debt collection industry exchange information about portfolios they’re looking to buy or sell.
Only members of the site can create profile pages and post comments, but anyone who visited could view and download content. Debt brokers typically post a summary of the portfolio they’re selling with general information like the number and amount of debts, the total face value, and how old the debts are. They’ll give their contact information so interested buyers can find out more offline.
But not Cornerstone and Bayview. On a number of occasions, the defendants posted messages offering portfolios for sale. But rather than just giving a description, the FTC says the defendants took the additional step of actually attaching unencrypted, unprotected Excel spreadsheets exposing to public view the personal information of more than 70,000 consumers who allegedly owed money.
What kind of stuff did the companies disclose? Among other things, dates of birth, bank account and routing numbers, addresses, phone numbers, email addresses, employers’ names and contact information, references’ names and phone numbers, the amount of each consumer’s purported debt – the whole megillah. Other portfolios even included consumers’ credit card and drivers’ license numbers.
In some instances, Cornerstone and Bayview redacted certain information – for example, a list would include a consumer’s first name, but masked the last name. But according to the FTC, given all the other information the defendants revealed about each consumer, it wouldn’t take a genius to do a quick online search that easily yielded the redacted information.
Consider the risk to consumers. ID theft and financial fraud are just for starters. The FTC says the defendants’ actions also raised the risk that people on their lists would become targets for phantom debt collectors – scammers who try to collect on debts they have no authority to collect or even collect when people don’t owe anything. What’s more, information of this nature is particularly sensitive because the public disclosure of debts can result in job loss and family turmoil.
A federal court entered a preliminary injunction against Cornerstone and owner Brandon Lambert. The Bayview defendants, including owner Aron Tomko, agreed to the entry of a preliminary injunction in their case. The injunctions require the defendants to notify affected consumers and use reasonable safeguards to protect consumer information in their possession.
To avoid unlawful disclosure, there are security measures debt buyers and sellers can put in place:
1. Don’t disclose data publicly. Let’s face it. The data in your possession – account numbers, Social Security numbers, information about debt amounts, creditors, charge-offs, etc. – is the financial equivalent of plutonium. Powerful when used with proper safeguards in place, but hazardous in the wrong hands. That’s why there is simply no legitimate business reason for publicly posting your portfolios or making consumer information publicly available in any other way. You can advertise by mentioning specific categories of information you have, but don’t disclose the individual’s information. Period.
2. Store your portfolios securely. Keep paper copies in a locked room or in a secure cabinet. Limit employee access on a need-to-know basis. Electronic data needs fortification, too. Consider keeping portfolios in password-protected files and make sure all devices with access to the information have reasonable security measures in place – updated antivirus software, firewalls, and the like.
3. Minimize the amount of consumer information you share with prospective buyers. Potential buyers may need access to some of the sensitive data in a portfolio to evaluate whether they want to buy it, but keep it to a minimum. Provide only the data the prospective buyer needs and explain why sound security is in their best interest, too. Furthermore, don’t sell sensitive information to just anyone. Make sure they are who they say they are, and consider contractually requiring them to maintain reasonable safeguards.
4. Transfer data securely. When transferring data to a potential or final buyer, keep it secure. For example, encrypt the file or password-protect the portfolio. If you’re sending the file via email, don’t include the password in the same message.
5. Dispose of data safely. When you no longer need sensitive consumer information, get rid of it securely, using strategies to thwart dumpster divers and hackers. Don’t just throw away hard copies. Burn, pulverize, or shred them. For electronic files, simply clicking the delete button may not be enough. Take advantage of free and low-cost tools that will reduce the risk that a computer criminal can recreate a deleted file.
6. Have a plan in place in case there’s a breach. Whether it’s a misplaced file, a lost laptop, or a hack attack, the worst time to start thinking about a data breach is after you’ve experienced one. One key step in a compliance check-up is to put together an up-to- date file of “just-in-case” resources. For example, if there’s a breach, how will you contact affected consumers, businesses, and law enforcement? Most states have data breach laws with specific requirements. Be sure to consult all relevant laws.
7. Take advantage of free resources from the FTC. Evaluating your company’s practices doesn’t have to be a start-from-scratch process. The FTC has a to-the-point publication, Protecting Personal Information: A Guide for Business, with practical tips on securing sensitive data. Watch a 20-minute online tutorial that outlines the basics. Information Compromise and the Risk of Identity Theft includes steps to consider if you’ve experienced a data breach.