Receivables Leaders Are Taking These 7 Steps This Year to Armor Their Cybersecurity Programs

By Rozanne Andersen

March 1, 2017


In 2016, cybersecurity worldwide increased by nearly $74 billion – A significant shift, to say the least. But it shouldn’t come as much of a surprise: The average consolidated cost of a data breach has risen to $4 million, and the average cost for each stolen record now sits at $158. And that doesn’t even take into account harm to a business’s reputation.

We know something about why those breaches happen: 56% of them now occur from phishing attacks, with 30% of users opening phishing emails, and 12% clicking on the links contained in them. 99% of computers use software that is vulnerable to attack if not updated. Technology moves at light speed, and so do those intent on stealing consumer information. So given all that information, where should you, as a receivables professional, begin to mitigate your risk?

Start with these 7 items:

  1. Validate your data security – You might have the best people, the best process and exhaustive documentation of it all, but technology moves at light speed, and so do identity thieves. You won’t truly know if you’re secure if you don’t test your system with an independent audit.
  2. Bake your compliance and data security programs into everyday business – Keeping consumer information safe shouldn’t be a bolted-on summary process: It needs to be considered with the most granular of activities. Consider data security and compliance when making shifts in technology or operations, and create authoritative IT policies followed daily.
  3. Ensure appropriate access control – Provide your employees with only the data they need to perform their jobs. Train your team, including C-level executives, on why these restrictions enhance data security. Specifically, access beyond what’s necessary often exacerbates ransomware attacks.
  4. Keep an eye on your vendors – Regulatory organizations, including the CFPB, have made it clear you are responsible for overseeing your service providers’ data security practices. That means conducting appropriate oversight for every firm, since their practice can impact the security of your own data. Send a security questionnaire or schedule an on-site visit. Too much to bear? Hire an outsourcer.
  5. Get a handle on collection notices and letters – Know your validation notices and timelines for the first 30 days: Send a letter upon contact, validate by phone, get settlement letters in line and brush up on the ECOA.
  6. Know your electronic payment requirements – There are many types of electronic payments, and each has different requirements for authorization and authentication. Are you aware of your options to appropriately document authorization and payment arrangements? Your letters, recurring payment arrangements, the FDCPA, EFTA and Reg E all come to bear here.
  7. Brush up on consumer consent and revocation – Your payment arrangements, the TCPA and the FDCPA all matter when it comes to spousal communications, age of majority, doctrine of necessities, and the time, place or manner of calls you make. Document, document, document!

Perhaps most importantly: Be involved! As a business leader within your organization and community, ask yourself what YOU are doing to make sure your company stays out of the news. Most established firms have a formal program for CFPB and FDCPA compliance, but many have yet to consider standards like PCI, HIPAA and the GLBA Safeguards Rule. You may trust your technical and operations staff are staying compliant – But how and why are you sure? That’s an important question to ask in an age when data security matters more than ever.


Disclaimer: Ontario Systems is a technology company and provides this blog article solely for general informational and marketing purposes. You should not rely on the content of this material for any other purpose or as specific guidance for your company. Ontario Systems’ advice, services, tools and products described herein do not guarantee compliance with any law or industry standard. You are ultimately responsible for your own company’s actions and compliance efforts. Because everyone’s situation is different, you must consult your own attorneys, accountants, and/or other advisors to obtain specific advice on your company’s compliance, legal, tax, regulatory and/or other business needs. Despite Ontario Systems’ efforts to provide current and up-to-date information, you need to recognize that the information contained herein may become outdated quickly and may contain errors and/or other inaccuracies. 

© 2017 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.

About the Author

Rozanne Andersen

Rozanne Andersen, J.D., serves as Ontario Systems’ Vice President and Chief Compliance Officer. She is responsible for leading Ontario Systems’ corporate efforts and response to the CFPB’s launch of compliance examinations in the ARM industry. Rozanne is a recognized thought leader in the area of compliance. Her advocacy work on behalf of the credit and collection industry has resulted in landmark legislation and regulation at both the state level and at the federal level with regard to the FDCPA, FCRA and HIPAA.

Sign Up For Email Updates