In today’s financial landscape, regulators at both the federal and state level are driving accountability for companies when it comes to data protection and security. We see that with the express requirement in the Gramm-Leach-Bliley Act, or GLBA, Safeguards Rule—which went into effect on June 9, 2023—that organizations have one qualified individual to oversee the information security program, and that the qualified individual provides regular reports to the highest governing body of an organization.
This underscores the importance of protecting customer information in a digital age where information has its own intrinsic value.
Let’s take a look at how the new updates to GLBA Safeguards Rule, how these security policies are important specifically for debt collection, and what best practices your business should follow to protect consumers’ data.
The GLBA Data Protection Law
The Gramm-Leach-Bliley Act, or GLBA, is a federal regulation to control how financial institutions collect, store, and transmit consumer information. GLBA was enacted by the Federal Trade Commission (FTC) in 1999 and recently rolled out new amendments to the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” that went into effect on June 9, 2023, in effort to continue protecting consumer data in an ever-evolving digital environment.
A few of the updates to GLBA’s Safeguards Rule include:
- Provides covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program
- Improves the accountability of these security programs, such as requiring financial institutions to designate a qualified individual responsible for overseeing, implementing and enforcing the program
Data Protection is Critical in Debt Collection
To attract clients today a debt collector must demonstrate the implementation of a full suite of information security practices covering physical, technical, and administrative safeguards, including a comprehensive employee information security training. Failure to implement these best practices can result in a security incident or worse, a data breach. Not only are data breaches costly because of the notification provisions, including providing credit bureau monitoring, it can be difficult for a company to survive after a breach. It is not unusual for a company to file bankruptcy after a data breach.
Reputation and Customer Retention
Although complying with federal and state regulations helps companies avoid costly—even criminal—penalties, consumer trust that their financial data is being protected is critical to maintaining a positive reputation and retaining customers (even if they fall into delinquency).
Data protection policies can often be treated as a set-it-and-forget-it, or even treated as a luxury of lower priority due to limited resources, expertise, or familiarity. But for today’s consumers, data security is a top priority.
A recent study by MAGNA Media Trials and Ketch, showed across every age group74% of people rank data privacy as one of their top values—consistently rank data privacy as their top concern. And on the flip-side, the study showed nearly 9 out of 10 consumers report strong data privacy practices positively impact their relationship with a company.
Keeping Up With Compliance
Along with federal regulations, individual states are also issuing new laws focused on consumer data protection. California, Utah, Colorado, Connecticut and Virginia all passed data privacy laws over the past several years that take effect in 2023. This past March, Iowa passed a Data Privacy Law that takes effect on January 1, 2025 that is very similar to both Virginia and Colorado’s laws affording consumers a right to know and right to request deletion. Pennsylvania amended its Breach of Personal Information Notification Act, by among other things, expanding the definition of “personal information” to include medical and health information, and a username or e-mail address in combination login credentials. Several more states have draft privacy and security laws in draft.
Although GLBA and other data protection and privacy laws are the hot topic when it comes to compliance today, it isn’t the only federal privacy regulations lenders and debt collectors need to follow and monitor for changes—or face the consequences of non-compliance. Here are some recent laws and amendments impacting the industry:
- The Fair Credit Reporting Act: Credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy, with potential criminal liability for certain misconduct.
- The Dodd-Frank Wall Street Reform and Consumer Protection Act: Established a new Consumer Financial Protection Bureau with the authority to supervise and regulate entities that offer or provide consumer financial products or services.
- Health Insurance Portability and Accountability Act (HIPAA): Two part rule for privacy and security of personal health information that applies to covered entities (doctors, hospitals, pharmacies, insurers, and their vendors). PHI – is defined broadly to include any information provided to the covered entity by the patient.
Consumer Data Protection is Not a Luxury
Having good security practices in place is not only beneficial for both consumers and businesses, but also critical to stay compliant with all the new laws and amendments being introduced. Here are some of the best privacy and security practices to implement to protect customers, companies, and stay compliant:
- Practice data minimization.
- Know where personal information lives at all times by creating a data map of where the data goes and is stored throughout your systems, which includes knowing your vendor’s data security and privacy practices and controls.
- Know who has access to personal information and routinely examine if that access is necessary to complete that job function.
- Be intentional with how data is organized and stored so it can be easily segmented and treated differently if need be (think network segmentation).
- Have a public facing Privacy Notice–and make sure it accurately reflects your practices for use, collection, deletion and correction.
- Conduct an annual data security risk assessment to continually reassess areas for improvement and where you may need additional controls.
- Ensure contracts with parties whom you receive and/or give personal information to specifically address each parties’ obligations and restrictions for how personal information is used, shared, disclosed, stored, and sold (if permitted).
The TrueAccord Approach
At TrueAccord, empathy towards the consumer is a core part of our company mission: we enable businesses to collect more, faster, and from happier customers.
Ready to collect more, faster from happier customers? Learn how TrueAccord weaves compliance and data security into debt recovery by scheduling a consultation today»»