ACA International Products & ServicesResearch & StatisticsSecurity Requirements for the Collection Industry

Security Requirements for the Collection Industry

The credit and collection industry is subject to stringent security regulations.

Share: -Text+

Debt collectors must follow specific federal guidelines that establish consumers’ rights and collectors’ responsibilities, including laws such as the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (FCRA). Many of these laws contain data security and confidentiality provisions.

In addition, individual state laws and regulations may impose requirements over the safeguarding of sensitive consumer information, including obligations that require collectors to inform consumers in the event of a security breach of consumer information.

Specialized laws such as the Gramm–Leach–Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require additional security standards to protect against the unauthorized access of consumers’ confidential information.

By creating liability for both debt collectors and their clients, GLBA and HIPAA demand that privacy and security be top priorities in the credit and collection industry. In fact, before a collection agency can enter an agreement to provide services to a healthcare provider or financial institution, the agency must demonstrate its capability to safeguard consumer information at the employee and physical security level, as well as the information technology level.

The following summary of GLBA and HIPAA privacy and security rules explains collectors’ responsibilities and the measures a debt collector must take to ensure compliance with these laws. It is important to note this is not an exhaustive list of the requirement under these laws.

Gramm–Leach–Bliley Act


Under the GLBA, a debt collector must comply with the Safeguards Rule which requires the development of a written information security program containing administrative, technical and physical safeguards appropriate to the agency’s size and complexity, nature and scope of its activities and sensitivity of the consumer information at issue. The GLBA Safeguards Rule requires a debt collector to:

  • Designate an employee to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • Identify reasonable, foreseeable internal and external risks to the security, confidentiality and integrity of consumer information and assess the sufficiency of any safeguards in place to control such risks.
  • Implement policies and procedures to control security risks to customer information and monitor their effectiveness.
  • Oversee service providers by selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information and requiring service providers by contract to implement and maintain such safeguards. Evaluate and adjust information security programs in light of the results of testing and monitoring required, material changes to operations, or any other circumstances which may have a material impact on the company’s information security program.

Further, procedures recommended by the Federal Trade Commission (FTC) for debt collectors to remain in compliance with the GLBA Safeguards Rule:

  • Lock rooms and file cabinets where paper records are kept.
  • Use password–activated screensavers.
  • Use strong passwords (at least eight characters long).
  • Change passwords periodically and do not post passwords near employees’ computers.
  • Encrypt sensitive customer information when it is transmitted electronically over networks or stored online. 
  • Refer calls or other requests for customer information to designated individuals who have had safeguards training.
  • Recognize any fraudulent attempt to obtain customer information and report it to appropriate law enforcement agencies.
  • Train employees regularly on the agency’s safeguard policies.
  • Limit access to customer information to employees who have a business reason for seeing it.


HIPAA


Under HIPAA, a debt collector must comply with the Security Rule which requires administrative, physical and technological safeguards to protect the confidentiality, integrity and availability of electronic protected health information (EPHI) in ways appropriate to the agency.  While the requirements under the Security Rule are extensive and not listed in entirety below, a debt collector must:

  • Develop and implement policies and procedures consistent with the covered entity the debt collector is operating for.
  • Designate an employee as a security official to coordinate its information security program in order to ensure accountability and achieve adequate safeguards.
  • Apply appropriate sanctions against employee(s) who fail to comply with the security policies and procedures of the agency.
  • Regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
  • Ensure that access to protected health information is only available to employees who need it.
  • Provide appropriate supervision of employees who work with protected health information or in locations where it might be accessed.
  • Control employee access to facilities in which paper records of protected health information are stored, and to software programs by which electronic records of this information can be accessed.
  • Ensure that when a staff member’s employment with the agency ends, his or her access to electronic protected health information is terminated.
  • Isolate the protected health information from other divisions of the company, if the agency is part of a larger organization.
  • Document and review employee use of electronic protected health information. Assign a unique login identifier and password for each employee, in order to trace the use of computer workstations or software programs to access the information.
  • Train all employees and management on the security policies of the agency.
  • Establish a contingency plan for responding to emergencies such as fire, vandalism and natural disasters that may damage systems containing electronic protected health information.
  • Implement a data backup plan to create and maintain retrievable exact copies of electronic protected health information.
  • Carefully monitor the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
  • Ensure the proper disposal of electronic protected health information and/or the hardware or electronic media on which it is stored.
  • Use password–activated screensavers that terminate a computer login session after a predetermined time of inactivity.
  • Encrypt consumer information during transmission over an electronic communications network.
  • Report any security incidents to the client.

In addition to complying with HIPAA’s Security Rule, HIPAA also requires debt collectors notify a client of any unauthorized disclosure of unsecured protected health information held on behalf of the client in the event of a security breach.


Printer friendlyE-mail articleTop of page

http://www.acainternational.org/publications-Security-Requirements-for-the-Collection-Industry-7018.aspx


© ACA International

Advertisement
http://www.merlindata.com
© 2012 ACA International Logo Use | Reprint Requests | Terms of Use | Privacy Policy | Advertising | Website Help | Contact Us | Top of Page

.