The Federal Trade Commission Monday announced that it has reached final settlements with two debt portfolio brokers for disclosing too much personal information about debtors in online postings marketing their portfolios for sale. The FTC announced the cases last year, and today’s announcement highlighted new security requirements for the brokers going forward.
The FTC said that in separate cases — against Cornerstone and Company, LLC and Bayview Solutions, LLC – the debt brokers posted unencrypted documents online containing consumers’ names, addresses, credit card numbers, bank account numbers, and amounts the consumers allegedly owed. The sensitive data was posted on a website geared for debt buyers, sellers, and other members of the debt collection industry, but accessible to anyone with an internet connection.
The settlements with Bayview and Cornerstone require that the companies establish and maintain security programs that will protect consumers’ sensitive personal information. In addition, the companies must have their security programs evaluated both initially and every two years by a certified third party. A federal court also ordered the website hosting the sensitive information to take it down immediately and the brokers to notify affected consumers.
But one of the companies had already taken those steps last year.
In a statement provided to insideARM when the original story ran, Bayview noted that it had put the matter behind it in September.
“Last summer we made a mistake, we had a glitch,” the company stated. “We cooperated with the FTC and resolved the matter with a signed settlement. It affected a small part of our inventory, which we have isolated. We notified all affected consumers, according to the settlement, and we have taken steps to make sure this does not happen again. We have put the issue behind us, business is good and we are looking forward to helping our clients grow their business.”
The announcement is a continuation of federal regulators’ focus on phantom debt collection and fake debt collection companies, a positive development for legitimate industry players.
The FTC did note in its press release that “the defendants exposed those consumers to risks ranging from identity theft to “phantom debt” collection. Phantom debt collection involves predatory debt collectors who try to extract payments from consumers without the authority to collect the debts.”
Just yesterday, the FTC announced a legal action against a fake debt collection scam located in a suburb of Chicago that focused on “phantom” debts. And last week, the CFPB announced its own action against a debt collection scammer. That particular case involved additional action against technology vendors.
The CFPB’s action last week and the FTC’s announcement today also expose what might be a more difficult trend in the ARM industry: the targeting of vendors and service providers to debt collectors. The CFPB’s action attempts to hold payment processors and voice broadcasters responsible for the actions of bad actors, while the FTC is tacitly alleging that lax portfolio security can lead to debt collection scammers acquiring consumer information.
The FTC did once again point to a blog post from last year detailing steps debt buyers and sellers can take to secure consumer data.