June 18, 2020
After a contentious meeting, Washington’s state Collection Agency Board voted in emergency rules to allow debt collectors to work from home.
One issue remains: will this put consumers’ personal information at risk?
The two board members representing the collection industry voted to approve the rule, along with the board’s chair – a deputy assistant director of the Department of Licensing, which regulates the collections industry. The two board members who represent the public interest voted no on the new rule.
A similar rule was voted down in a last-minute meeting in March, at the beginning of Washington’s stay-home order put in place to fight the Coronavirus pandemic. Another emergency meeting was scheduled for June 4, but canceled after I started asking questions.
Board member Mari Neubauer was one of today’s no votes.
“I think the rule we voted on today undermines the Collection Agency Act,” says Neubauer. “I absolutely think this creates a huge security risk.”
The rule voted in today has new measures aimed at protecting consumer data.
It requires companies to do the following:
1. Create a written IT Policy
2. Secure systems with a Virtual Private Network, or VPN
3. Record and monitor all calls initiated or received by collection agency employees.
We sent the new rule to two computer security experts to get their take.
Tarik Saleh, of DomainTools, is concerned it doesn’t compel companies to provide collection agents with take-home computers.
“If I’m on my personal laptop and I’m browsing Facebook and I accidentally click onto a bad link and I get a piece of malicious software on my computer, that malicious software technically could access that sensitive personal data,” says Saleh.
Computer security expert Mike Hamilton from CI Security says the rule could give scammers a new place to focus their efforts.
“A threat actor who gets wind of this will target those remote workers, knowing their home networks are insecure. Knowing they have an open-pipe tunnel back to a big data source. I think that raises risk not lowers risk,” says Hamilton.
Remember this: most home computers have their own security system. If a scammer gets the password to a debt collector’s router or other internet connected device, these new security measures would be rendered useless.
“You know, people have doorbells, thermostats, all kinds of stuff, all kinds of internet connected junk. And if they haven’t changed the defaults on any of that, it’s pretty easy to take over, gain entry into that home network and use that as the launching point off to the data you actually want to steal,” says Hamilton. “This is not far-fetched. Our company is responding to incidents where this has exactly happened.”
That’s why board member Mari Neubauer says she’s pushed for a formal rule-making process that would allow for public comment.
“We need to hear from the experts you spoke with. We need to hear from consumer advocates from the industry, from the public in order to have a rule that doesn’t have easily avoidable unintended consequences,” says Neubauer.
I asked reached out to the industry group, Washignton Collectors Association, to ask whether the rules kept consumer data safe, and were fair to collection businesses. The organization sent this statement:
“The Washington Collectors Association strives to be a collaborative voice in discussions with policy makers in responding and addressing the needs of consumers, businesses, and employees during the COVID-19 pandemic and beyond. We have advocated support for the ability to work from home, like many other businesses and industries across the State of Washington. Working from home during a pandemic will help keep our workers safe and allow us to help with debt resolution.“
The emergency work-from-home rule is in effect for 120 days. The board also voted to start the process to make it permanent.