Press Enter to Search

Data privacy and data security are two very hot topics in the ARM industry today. The California Consumer Privacy Act (CCPA) is set to take effect in January 2020, with additional privacy bills now pending in at least 25 states. Meanwhile, cyber crimes involving consumers’ personal data are growing in number, size, and sophistication.

While ARM business leaders are rightly focused on these issues, many are uncertain about the true nature and extent of their compliance and security risks. They’re also not sure how to manage these risks effectively.
Recently, I had the privilege of joining two distinguished industry colleagues for a panel discussion about data privacy and security: Odia Kagan, partner and chair of the GDPR Compliance and International Privacy division at Fox Rothschild LLP; and Ben Johnson, director of risk management for Cornerstone Support.
Here are some, but not all, of the major issues and topics we addressed (you can access the full webinar here).

Data privacy: Understanding and Preparing for the CCPA

The CCPA applies to any business or service provider that collects personal data, determines the purpose and means of data use, or controls or is controlled by such a company.
Starting January 1, 2020, the CCPA will grant California residents certain rights pertaining to personal data collected since January 2019 (a 12-month look-back window). Residents will be able to file claims for data access or deletion or for an opt out. Companies subject to the CCPA will have 45 days to respond.
Types and uses of data covered under the law run the gamut. Personal data can include everything from Social Security numbers and birth dates to lead generation activity, online browsing history, and interactions with mobile apps.
“Information like name, email address, collections history, purchase history, payment history, and determinations that you make off this (this person is likely to pay on time, they’re not likely to pay on time)—all of those things were not considered personal information in the traditional sense under U.S. law. That all has changed.” – Odia Kagan
Your business may be in scope if you do business in California and meet the minimum business thresholds listed below.
For purposes of CCPA compliance, doing business in California means:
  • Your headquarters are in California;
  • Your employees are in California;
  • Your company is incorporated in California;
  • Your company satisfies the definition of a California foreign entity; or
  • You conduct out-of-state sales or transactions into California.


Minimum business thresholds are defined as:


  • You conduct business activities in California and your annual revenues exceed $25 million;
  • You’re involved with personal data of more than 50,000 consumers, households, or devices (this could even include unique blog visitors); or
  • Sales of personal information—including value acquired from its use (via data analytics, for example)—accounts for at least 50% of your annual revenues.
To better understand how CCPA might affect your business and to prepare for its impact, you’ll want to take the six important steps Odia outlined in detail:
  • Map your data flows and processes
  • Determine your role under the law (independent business, service provider, or vendor)
  • Look carefully at legal purpose as well as GLBA and FCRA exemptions and whether they apply
  • Determine how you’ll comply with consumer requests within the required 45-day window
  • Reevaluate your internal processes
  • Plan for CCPA disclosure
“So it’s basically looking at processes, looking at the information, seeing how [you] get to it, how [you] can produce it. Then the other question is, ‘Once I know how to collect all of this information, how do I provide the disclosure that CCPA requires me to provide along with all the information I am giving?’” – Odia Kagan

Data security: Reducing the Risk and Impact of Cyber Crime

As Ben reminded us, cyber crime has been called “the greatest transfer of wealth in history.” The exchange of consumer data via ID theft, phishing, hacking, etc. has been compared with the global drug trade and is estimated to be worth as much as a trillion dollars per year.
Guarding against breaches and developing a breach response plan are essential for managing risk and minimizing disruption, financial losses, and potential harm to client relationships.
Have a specific plan in place
In a security breach “fire drill,” you should know whom to call and what steps to take. Ben recommends, among other things, a cyber liability insurance policy (with full limit breach notification response), an established reporting process, and discussions with a claim adjuster and legal counsel. A breach response should also include forensic analysis to assess the source and extent of the damage.
“Some of you saw there was a high-profile breach in the collection space earlier this year. One of the things that came out . . . was that maybe they took a little bit longer to get a plan in place and respond. And so at times, that can make the cost even greater or the damage even greater.” – Ben Johnson
Monitor operations in real time
Many companies enlist a dedicated third-party provider to monitor operations and flag any security weaknesses and unusual activity. Identifying problems early on will allow you to limit or compartmentalize the damage.
Change the way you store old data
Many high-profile breaches have involved personal information that dates back 10 or more years. Storing too many old records is a serious potential liability. By encrypting older files and offloading them to an external (ideally cloud-based) server, you can effectively make the data worthless to hackers and avoid triggering notification responses.
“[Data] almost was seen as a . . . valuable asset—to have all this data, all of this knowledge, all of this experience. And secondly, data storage is relatively cheap. So another year goes by, another million records go on the server. [ . . . ] I think as an industry, collectively, we’ve really got to start sharing best practices, talking about what we’re doing to get old files offloaded.” – Ben Johnson

For More Answers and Advice, Catch the Complete Webinar

During our panel discussion, Odia and Ben covered a lot of territory. They offered detailed insights on the above topics and raised a number of other issues ARM business owners need to consider. “Straight Talk About Privacy, Security, and Cyber Liability for Debt Collectors” is one webinar you won’t want to miss. Download and view it today.


Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies.

© 2019 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

Beyond Integration: How to Compete to Win in the ARM Market

Beyond Integration: How to Compete to Win in the ARM Market

This is the final post in our OS blog 2.0 series highlighting the “ARM ecosystem”—what it is, how it works, and how ARM businesses can benefit by adopting this approach.  With its dense maze of business, legal, and market challenges, the ARM industry is a tough one to...

How to Maximize Your Account Reps’ Collection Efforts

How to Maximize Your Account Reps’ Collection Efforts

This is the third of four posts in our OS blog 2.0 series highlighting the “ARM ecosystem”—what it is, how it works, and how ARM businesses can benefit by adopting this approach.  In the collections business, as in all industries, time is money. Time well spent is...

Posted by Rozanne Andersen

Rozanne Andersen, J.D., serves as Ontario Systems’ Vice President and Chief Compliance Officer. She is responsible for leading Ontario Systems’ corporate efforts and response to the CFPB’s launch of compliance examinations in the ARM industry. Rozanne is a recognized thought leader in the area of compliance. Her advocacy work on behalf of the credit and collection industry has resulted in landmark legislation and regulation at both the state level and at the federal level with regard to the FDCPA, FCRA and HIPAA.
All Posts