Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General’s office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.
In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state’s Attorney General to inquire into not only the company’s privacy safeguards, but its business model as well. According to Attorney General’s office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.
For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.