Posts Authored by Lindsay S. Oak

Important changes to debt collection practices: What you need to know

The Consumer Financial Protection Bureau (CFPB) has issued major updates to the rules that affect creditors and those that collect their debt by amending Regulation F, which implements the Fair Debt Collection Practices Act (FDCPA).  Businesses covered by the new rules should consider preparing for the changes as soon as possible before the amendments go into effect on November 30, 2021.
As a threshold issue, it is noteworthy that the Bureau expanded the definition of a covered “consumer” by now including both living and deceased people within the regulation’s coverage.  A deceased consumer’s estate is now entitled to protections of the FDCPA, a change that may result in important consequences for debt collectors, who will now be required to provide validation information to an estate representative when it seeks collection against a decedent’s estate.
In addition to modernizing the guidelines to address collection-related communications through email, text messaging, and social media, the CFPB has also imposed new rules for consumer-oriented disclosures, the reporting of credit information to consumer reporting agencies (CRAs) and bringing suit on time-barred debt. For more information, read the full story.  
Consumer Lending and Services

FTC announces new and improved data security guidance

On January 6, 2020, Andrew Smith, Director of the Federal Trade Commission (FTC) Bureau of Consumer Protection, announced three significant improvements to the FTC’s approach to data security enforcement cases. The improvements fall into three categories:

1) Greater specificity: The FTC will continue to require that a company implement a comprehensive, process-based data security program, but now require that the company implement specific safeguards, such as yearly employee training, access controls, monitoring systems, and encryption.  The FTC believes these specific safeguards will provide more clarity to companies and enhance order enforceability.

2) Increased third-party assessor accountability: The FTC will continue to require outside assessors to review a company’s comprehensive data security program, but the review must now be more rigorous.  Assessors are now required to substantiate their conclusions with evidence, retain documents related to the assessment, and cannot invoke privilege when asked to provide those documents to the FTC.  The FTC now also has the authority to approve and re-approve assessors every two years, allowing them to require companies to hire new assessors if they aren’t meeting certain expectations.

3) Boards and C-Suite have a more active stake in data security matters: Every year, companies must now present their Board or governing body with their written information security program, and senior officers must now provide annual certifications of compliance with the security programs to the FTC.  The FTC desires a company’s senior leadership to be more involved in complying with key data security guidelines. These changes are consistent with research that suggests that increased oversight at the executive level dramatically improves the company’s data security safeguarding. 

The FTC has already incorporated these improvements into seven orders it made against companies in 2019. Although the results of these new changes have yet to be seen in enhancing cybersecurity nationwide, the changes no doubt address gaps in companies’ data security programs that have led to serious and large-scale breaches of consumer information in the past few years. The FTC’s efforts to address cybersecurity are intended to protect consumers but will require businesses to devote additional resources to counter a problem that is not likely to go away any time soon.

Consumer Lending and Services, Legal Developments