The Federal Trade Commission (FTC) recently obtained temporary injunctions against two passive debt buyers, which are companies that buy and sell debt portfolios and exclusively use third-party debt collectors. In complaints filed against the companies, the FTC alleged that the debt buyers had engaged in unfair practices under Section 5 of the FTC Act.

The FTC joins other federal regulators focusing on the debt buying industry, such as the Office of the Comptroller of the Currency, which recently issued guidance on consumer debt sales, and the Consumer Financial Protection Bureau, which is expected to release next year proposed regulations that will address debt buying. Any company that sells or purchases debt should be monitoring these regulatory developments carefully and incorporating any guidance into their company’s existing compliance management systems.

The defendants in the FTC action are Cornerstone and Company, LLC, and Bayview Solutions, LLC (Bayview Solutions is not related to Bayview Asset Management or Bayview Loan Servicing). The FTC alleges that the companies, during the course of trying to sell debt portfolios, exposed consumers’ personal information on a website that serves as an interactive marketplace where members of the debt buying and collection industry exchange information about debt portfolios.

Generally, debt sellers post only summary information about the portfolios they are offering, such as the type of debt, number of individual debts in the portfolio, the total face value of the debt, general age of the debt, and the number of collection agencies that previously attempted to collect the debt. In some instances, sellers may also post sample portions of their portfolios, but personal information is redacted or masked.

According to the FTC complaint, the defendants posted the personal information contained in the debt portfolios, in the form of Excel spreadsheets, on the website without encryption, appropriate redaction, or any other security measures. The FTC alleges that consumers’ bank account and credit card numbers, birth dates, contact information, employers’ names, and information about the consumers’ alleged debts were posted on the public website.

Although the FTC acknowledged that certain information may have been redacted, it alleges that all the other information revealed about each consumer in the Excel spreadsheet would allow bad actors to easily extract the redacted information. The FTC alleges that the disclosures violate the consumers’ privacy, put them at risk of identity theft, and expose them to “phantom” debt collection (a practice involving fraudulent parties trying to extract payments from consumers without authority to collect the debts). The temporary injunctions entered against each debt buyer require the defendants to notify the affected consumers and explain how they can protect themselves against identity theft and other fraud.

In conjunction with the enforcement action against these two companies, the FTC has also offered the following best practices for all companies seeking to sell debt portfolios:

  • No public disclosure of debtor information. The FTC has concluded that there is no legitimate business reason for publicly posting debt portfolios or making consumer information publicly available in any other way without proper privacy safeguards.

  • Store debt portfolios securely. The FTC recommends both physical and digital protections for this information, such as keeping paper copies in a locked room or in a secure cabinet; limiting employee access; keeping portfolios in password-protected files; and making sure all devices with access to the information have reasonable security measures.

  • Minimize the amount of consumer information shared with prospective buyers. Potential buyers may need access to some of the sensitive data in a portfolio to evaluate whether to make a purchase, but such information should be kept to a minimum. Debt sellers should also conduct due diligence on any potential buyers to confirm their identity before sharing any personal information.

  • Transfer data securely. When transferring data to a potential or final buyer, files should be encrypted or password-protected.

  • Dispose of data safely. Hard copies should be burned, pulverized, or shredded. Electronic files should be deleted in a manner that prevents computer criminals from recreating any deleted files.

  • Establish a breach policy. The FTC expects companies to start thinking about how to respond to a data breach before it occurs.

  • Use the free resources available from the FTC. The FTC enforcement actions, guidance, and other publications provide insight that companies should incorporate into their compliance management systems, such as Protecting Personal Information: A Guide for Business and Information Compromise and the Risk of Identity Theft.

Ballard Spahr's Privacy and Data Security Group assists clients in responding to data breaches and regulatory data security requirements. Members of the Group regularly work with clients to develop and implement data security plans and privacy policies.

Members of Ballard Spahr’s Consumer Financial Services Group regularly consult with their clients engaged in consumer debt transfers, including sales by originating creditors and purchases by debt buying entities. The Group has a team of lawyers with extensive experience assisting clients in the preparation and filing of comments in regulatory and legislative proceedings.

For more information, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or kaplinsky@ballardspahr.com.


Copyright © 2014 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practice

Consumer Financial Services

CFPB

Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >