Reducing the risk: 7 steps for securing sensitive debt data

Share This Page

Like juggling chain saws or using a Ming vase as a sippy cup, some things are just too risky to be reasonable. Here’s one to add to that list: posting unencrypted financial information about 55,000 consumers on a website available to anyone with an internet connection. Two FTC settlements with debt brokers – and a 7-step brochure for industry members – offer advice on keeping sensitive information secure.

In separate lawsuits filed last year, the FTC says Cornerstone and Company and Bayview Solutions posted spreadsheets on a site for debt buyers, sellers, and others in the collections industry. The spreadsheets included the kind of information that’s an all-you-can-eat buffet for fraudsters and identity thieves: names, addresses, credit card numbers, bank account data, and debts people allegedly owed. The disclosure of data like that raises the specter of phantom debt collection.

The name sounds other-worldly, but the problem is all too real. Phantom collectors get people to pay debts they’re not authorized to collect. Armed with enough information to sound legit, they pocket the cash and disappear. And they don’t stop there. Some phantom debt collectors collect from people who don’t owe money at all. They lean on consumers so hard that some say “Uncle!” just to make it stop.

Of course, the lifeblood for these ghouls is financial information other companies have handled cavalierly. The FTC alleged that Cornerstone and Bayview put consumers at substantial risk by making their data available to anyone who visited that site. At the FTC’s request, a federal court ordered the site to take the information down. It also ordered the debt brokers to contact the consumers whose information had been compromised.

The settlements with Cornerstone and owner Brandon Lambert and Bayview and owner Aron Tomko require them to set up and maintain security programs to protect consumers’ sensitive information. And it won’t be a one-time thing. They have to get qualified third parties to certify their programs every two years.

Debt brokers will want to read Buying or selling debts? Steps for keeping data secure.  But even if debt isn’t your deal, the basic principles apply to any company with financial information in their files or on their networks.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.