In order to assist the Consumer Financial Protection Bureau with its statutory obligation to report annually to Congress concerning the federal government’s efforts to implement the Fair Debt Collection Practices Act, the Federal Trade Commission submitted a summary of its own enforcement activities during 2014.
The FTC’s summary highlights not only the “aggressive law enforcement activities” of the previous year, but also the FTC’s anticipation of a more robust partnership with the CFPB in 2015. The summary notes the FTC’s particular focus on, among other things, protecting the security of consumer data during debt-purchasing transactions. Specifically, the FTC noted its success in obtaining preliminary injunctions in cases against two different debt sellers that had posted personally identifying information of more than 70,000 consumers on public websites in an effort to market available portfolios of delinquent consumer debts.
The FTC, like many other consumer protection agencies, has become increasingly aware of the consumer privacy concerns that arise as more and more information is stored and shared digitally. Debt sellers are well-advised to adopt appropriate data security safeguards and, at the very minimum, eliminate marketing their portfolios publicly to unknown entities. In any event, debt sellers should ensure that sensitive information – bank account numbers, loan numbers, credit card numbers, birth dates, and Social Security numbers, to name a few – is redacted before being sent to prospective buyers. While certain prospective buyers may need access to some data to evaluate whether they wish to make a purchase, sellers should minimize such disclosures and always transmit such data in encrypted or password-protected files. Where the files are password-protected, sellers should also consider including the password itself in a separate transmission.
Participants in the debt selling and buying marketplace should anticipate that the FTC’s efforts to protect consumer privacy during 2015 and beyond will only increase. They should, therefore, revise their data security protocols accordingly.