The Federal Trade Commission (FTC) recently obtained temporary injunctions against two passive debt buyers, which are companies that buy and sell debt portfolios and exclusively use third-party debt collectors. In complaints filed against the companies, the FTC alleged that the debt buyers had engaged in unfair practices under Section 5 of the FTC Act.

The FTC joins other federal regulators focusing on the debt buying industry, such as the Office of the Comptroller of the Currency, which recently issued guidance on consumer debt sales, and the Consumer Financial Protection Bureau, which is expected to release next year proposed regulations that will address debt buying. Any company that sells or purchases debt should be monitoring these regulatory developments carefully and incorporating any guidance into their company’s existing compliance management systems.

The defendants in the FTC action are Cornerstone and Company, LLC, and Bayview Solutions, LLC (Bayview Solutions is not related to Bayview Asset Management or Bayview Loan Servicing). The FTC alleges that the companies, during the course of trying to sell debt portfolios, exposed consumers’ personal information on a website that serves as an interactive marketplace where members of the debt buying and collection industry exchange information about debt portfolios.

Generally, debt sellers post only summary information about the portfolios they are offering, such as the type of debt, number of individual debts in the portfolio, the total face value of the debt, general age of the debt, and the number of collection agencies that previously attempted to collect the debt. In some instances, sellers may also post sample portions of their portfolios, but personal information is redacted or masked.

According to the FTC complaint, the defendants posted the personal information contained in the debt portfolios, in the form of Excel spreadsheets, on the website without encryption, appropriate redaction, or any other security measures. The FTC alleges that consumers’ bank account and credit card numbers, birth dates, contact information, employers’ names, and information about the consumers’ alleged debts were posted on the public website.

Although the FTC acknowledged that certain information may have been redacted, it alleges that all the other information revealed about each consumer in the Excel spreadsheet would allow bad actors to easily extract the redacted information. The FTC alleges that the disclosures violate the consumers’ privacy, put them at risk of identity theft, and expose them to “phantom” debt collection (a practice involving fraudulent parties trying to extract payments from consumers without authority to collect the debts). The temporary injunctions entered against each debt buyer require the defendants to notify the affected consumers and explain how they can protect themselves against identity theft and other fraud.

In conjunction with the enforcement action against these two companies, the FTC has also offered the following best practices for all companies seeking to sell debt portfolios:

  • No public disclosure of debtor information. The FTC has concluded that there is no legitimate business reason for publicly posting debt portfolios or making consumer information publicly available in any other way without proper privacy safeguards.
  • Store debt portfolios securely. The FTC recommends both physical and digital protections for this information, such as keeping paper copies in a locked room or in a secure cabinet; limiting employee access; keeping portfolios in password-protected files; and making sure all devices with access to the information have reasonable security measures.
  • Minimize the amount of consumer information shared with prospective buyers. Potential buyers may need access to some of the sensitive data in a portfolio to evaluate whether to make a purchase, but such information should be kept to a minimum. Debt sellers should also conduct due diligence on any potential buyers to confirm their identity before sharing any personal information.
  • Transfer data securely. When transferring data to a potential or final buyer, files should be encrypted or password-protected.
  • Dispose of data safely. Hard copies should be burned, pulverized, or shredded. Electronic files should be deleted in a manner that prevents computer criminals from recreating any deleted files.
  • Establish a breach policy. The FTC expects companies to start thinking about how to respond to a data breach before it occurs.
  • Use the free resources available from the FTC. The FTC enforcement actions, guidance, and other publications provide insight that companies should incorporate into their compliance management systems, such as Protecting Personal Information: A Guide for Business and Information Compromise and the Risk of Identity Theft.