Debt Relief Agencies Face New Safeguard Rules by FTC

The Federal Trade Commission announced a newly updated rule that strengthens the data security safeguards that financial institutions must put in place to protect their customers’ financial information. In recent years, widespread data breaches and cyberattacks have resulted in significant harm to consumers, including monetary loss, identity theft, and other forms of financial distress. The FTC’s updated Safeguards Rule requires non-banking entities to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.

Debt relief companies appear to get sucked in as “finders.” These are parties that are not financial institutions but that “play a role in connecting buyers and sellers.”

The public documents on this action say the “Federal Reserve Board describes acting as a finder as “bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” The Board sets forth several activities that are within the scope of acting as a finder, such as “[i]dentifying potential parties, making inquiries as to interest, introducing and referring potential parties to each other, [] arranging contacts between and meetings of interested parties” and “[c]onveying between interested parties expressions of interest, bids, offers, orders and confirmations relating to a transaction.”

The rule appears to apply to all debt relief companies and ancillary companies that have a continuing relationship “that perform finding services for consumers with whom they have an ongoing relationship are properly considered “financial institutions” for purposes of the Rule.”

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The changes adopted by the Commission to the Safeguards Rule include more specific criteria for what safeguards financial institutions must implement as part of their information security program such as limiting who can access consumer data and using encryption to secure the data. Under the updated Safeguards Rule, institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information.

According to the discussion of the role in the Federal Register, “The Commission noted that there was no basis to exclude sole proprietors and that “[w]hether or not a commercial enterprise is operated by a single individual is not determinative” of whether the enterprise is a financial institution.”

It also defines an information system as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or any such system connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems, that contains customer information or that is connected to a system that contains customer information.”

That seems definition seems to cover the information access systems used by most people.

As always, you should consult a knowledgeable attorney to discuss regulatory requirements and liability exposure to determine if any regulation applies to your debt relief company.

This Safeguard Rule document will provide you with more information regarding your responsibilities to safeguard consumer data. But, rest assured it is a lot of work.