海角大神

John Oliver wasn鈥檛 optimistic during his June 5 鈥溾�� segment on debt collection. Shady brokers use aggressive, unethical, and legally problematic tactics to bully cash-strapped Americans into paying money they owe anymore. As bleak as that sounds, Mr. Oliver only hinted at the even deeper trouble people could find themselves in, if brokers mishandle their sensitive information.

Debt agencies often use Microsoft Excel spreadsheets, containing a debtor鈥檚 name, Social Security number, address, and other information that could give criminals all the information they need to perpetrate identity theft, fake phone solicitation, and other types of fraud. If that sounds unbelievably sketchy, that鈥檚 because it is.

But isn鈥檛 there some kind of measure in place for protecting the data that resides in those spreadsheets? Yes, kinda. Though it鈥檚 clear those measures have substantial loopholes that could allow your personal information to fall through the cracks.听If tougher penalties were in place, however, it鈥檚 likely that firms wouldn鈥檛 even consider engaging in this kind of activity at all. 听

Some regulation do exist

Spreadsheets and other information portfolios are covered under the , which states that covered entities are required to maintain, protect and secure consumers鈥� records and information. But the safeguards are short on specifics, only requiring that firms assign at least one employee to protect data, that they develop a program capable of protecting that data, and update company policy when necessary. Those are broad provisions that could make it possible for companies to be compliant while not actually doing everything possible to protect debtor information.

Debt buyers from sending the annual privacy notices like the kind you might get from your bank. This is ostensibly because issuing so many notices caused too many headaches for these businesses, after they received floods of calls from recipients who were confused about the purpose of the letter. Though they are required to send an , which outlines a debt buyers鈥� privacy policy and whether they share information with third parties.

The Federal Trade Commission (FTC) go after debt buyers that adequate data security measures or who sell data directly to scammers. But it鈥檚 not often enough, and these collection agencies are not held to a high enough standard when it comes to handling your data.

In one instance, the FTC went after a debt broker accused of publicly posting the sensitive personal information of more than 70,000 people without encryption, redaction or any other form of protection. Those spreadsheets were viewed at least 500 times, according to the FTC.

In February, a group of debt agencies 听over charges they misled customers about how easy it would be to get a loan, then 鈥渒nowingly provided scammers鈥� with Social Security numbers and bank account information on hundreds of thousands of people. That made it possible for scammers to steal millions of dollars from the accounts of already broke Americans, the FTC alleged. The penalty? A $4.1 million fine against one debtor and $5.7 million in suspended fines against three others.

Standards aren't high enough

In many states, debt buyers and collection agencies aren鈥檛 even required to have a license or bond, and regulations for interstate collections are even spottier. There are almost certainly a whole slew of mom and pop companies whose practices may be problematic, but not so much so as to draw attention, or fines, from federal authorities. And it鈥檚 not uncommon for debts to be to different companies, so even if your information is safe with one agency, it might not be the same story elsewhere.听

It鈥檚 likely that the cases pursued by the FTC are merely the ones that are so egregious that the FTC can鈥檛 look away. Countless smaller companies, who deal with only a handful of portfolios, may escape official notice entirely.听It鈥檚 likely that the cases pursued by the FTC are merely the ones that are so egregious that the FTC can鈥檛 look away. Countless smaller companies, who deal with only a handful of portfolios, may escape official notice entirely.听

Ideally, purchasing debt would also require a license in all 50 states. The Gramm-Leach-Bliley Act requires debt buyers follow a , a regulation that forces companies to clearly define how they implement technical and physical security. Requiring an audit of that plan would go a long way toward raising the cost of entry so that debt buyers act like legitimate businesses, rather than as bullies who care little for the damage they do to a person鈥檚 life.

When it comes to oversight, there is a silver lining. It鈥檚 that the companies who acquire the freshest debts may be the biggest companies, and thus the most likely to be scrutinized. So if a debt buyer or collection agency starts bugging you, it鈥檚 best to work as quickly as possible to resolve the situation. That way you can make sure your information doesn鈥檛 fall into the hands of less-reputable brokers.

If you discover that your information has been given to a debt broker or collection agency, here are some tips to help you get your situation resolved promptly:

Verify the debt

It鈥檚 important to verify in writing what information debt buyers have on you, especially since they often have incomplete or outdated information that has already been sold to multiple brokers.

The covers what collectors must do to verify your information. It鈥檚 a good idea to contact the original creditor to confirm that they have sold your account, and to whom. The debt may have been passed off after the initial sale, but it鈥檚 important to investigate where it went next and if you can stop it from being sold again. If the account is through a healthcare facility or insurer, it鈥檚 especially important to go to that organization directly in order to decrease the necessity for any additional information to be shared with the broker.

Document everything

It鈥檚 always a good idea, especially in case you need to take legal action, to request all information in writing. Be sure to store that documentation securely, both with some form of encryption and by backing up any digital copies. All that takes is an external hard drive and/or teaching yourself meant to shield your data. 听

Check your credit report early and often

If fraudulent accounts or charges have been made in your name, checking your credit report may indicate a problem before collectors contact you. By checking with all three credit bureaus regularly, you can spot inaccuracies quickly and either stop creditors from contacting you or at least reduce the level of surprise when they do. Also, keep in mind credit report records sometimes take several months to update, so the absence of collection accounts does not mean you鈥檙e totally in the clear.

The website has excellent, detailed instructions to help you stop the collection process and correct your record.

It鈥檚 troubling 听to find yourself at the mercy of these debt collection agencies. But it鈥檚 not an issue you can ignore, even if it鈥檚 clear the company is operating on erroneous information. By acting quickly, and documenting every interaction, you can minimize the risk to yourself and your credit rating. Until the FTC dedicates more resources to fighting back on behalf of all Americans, it鈥檚 the only thing you can do.

Lysa Myers is a security researcher at ESET. Follow her.

听