Nexa Collections

law

Why Cybersecurity Matters for Collection Agencies

Handling debtor information securely isn’t just good business—it’s legally essential. For collection agencies, failing to protect sensitive debtor data can be disastrous. Here’s what agencies must know about cybersecurity and why it matters:

Compliance Isn’t Optional

Collection agencies are regulated by laws such as the Fair Debt Collection Practices Act (FDCPA) and the Gramm-Leach-Bliley Act (GLBA). These regulations demand stringent data security practices. If an agency doesn’t comply, it could face serious penalties. For example, a violation under the GLBA can lead to fines of up to $100,000 per violation for the agency, and agency officers could be personally fined up to $10,000.

Real Cyber Threats, Real Costs

Debtor data is particularly appealing to cybercriminals. It often contains Social Security numbers, bank account details, and personal contact information. A single breach can expose thousands of individuals’ sensitive data. In one notable incident, a medium-sized collection agency suffered a ransomware attack that compromised over 25,000 debtor accounts. The cost of addressing this breach—including legal fees, notification costs, and settlements—exceeded $1 million.

Protect Your Reputation

A breach doesn’t just mean financial loss; it can severely damage an agency’s reputation. Clients depend on agencies to handle debtor information responsibly. For instance, after experiencing a data leak involving debtor information, a California-based collection firm lost key contracts, amounting to nearly $500,000 in annual revenue. Effective cybersecurity shows clients and debtors alike that your agency is trustworthy and reliable.

Minimizing Risks Through Security Practices

Agencies must take proactive cybersecurity steps. Secure portals, encryption, firewalls, and two-factor authentication (2FA) are foundational security measures. Consider a situation where an employee accidentally emails debtor information without encryption. Such an incident could result in fines ranging from $5,000 to $50,000 per violation under certain state privacy laws, like the California Consumer Privacy Act (CCPA).

Be Prepared to Respond

No cybersecurity strategy is foolproof. Thus, having an incident response plan is crucial. Rapidly addressing breaches can limit damages significantly. Agencies should conduct regular cybersecurity training and periodic audits to identify potential vulnerabilities before they become expensive problems.

Security Checklist for Clients

Before sharing delinquent customer data, clients should ask collection agencies:

  • Do you comply fully with relevant laws such as FDCPA, GLBA, and state-specific privacy laws?
  • What cybersecurity measures do you have in place (encryption, Two-factor authentication, VPN, firewalls, secure portals)?
  • How regularly do you conduct cybersecurity training for your staff?
  • What is your response plan in case of a data breach?
  • Are you protected in case there is a mistake at their end ( Do they have a Cyber Security insurance?).

Bottom Line

Cybersecurity for collection agencies isn’t just a technical necessity—it’s a vital part of managing risk, maintaining compliance, and safeguarding both finances and reputation.

Filed Under: law

California Privacy Rights Act (CPRA) – Key Points

The California Privacy Rights Act (CPRA) is a privacy law that was approved by California voters in November 2020, and it is set to take effect on January 1, 2023, with enforcement beginning on July 1, 2023. The CPRA builds on the California Consumer Privacy Act (CCPA), which was enacted in 2018, and further enhances privacy protections for California residents. Here are some key provisions and enhancements introduced by the CPRA:

  1. Creation of the California Privacy Protection Agency (CPPA): The CPRA establishes a new state agency, the California Privacy Protection Agency, to enforce the law, and issue regulations and guidance.
  2. Expanded Rights of Consumers: CPRA expands the existing rights under CCPA and introduces new rights for consumers, such as the right to correct inaccurate personal information, and a broader right to opt-out of not only the sale but also the sharing of personal information for advertising and marketing purposes.
  3. Sensitive Personal Information: The CPRA introduces a new category called “sensitive personal information” which includes precise geolocation, race, religion, biometric data, health information, and more. Consumers have the right to limit the use and disclosure of sensitive personal information.
  4. Data Minimization and Purpose Limitation: Businesses are required to limit the collection of personal information to what is necessary for the purposes for which it was collected and must specify the purpose for collecting or using personal information.
  5. Risk Assessments and Audits: Certain businesses must conduct regular risk assessments and submit cybersecurity audits regarding their processing of consumers’ personal information.
  6. Increased Penalties for Violations Involving Children’s Data: The CPRA increases penalties for violations of the law that involve the personal information of minors.
  7. Expanded Breach Liability: CPRA expands the private right of action for data breaches to include unauthorized access or disclosure of an individual’s email address combined with a password or security question and answer that would permit access to an account.
  8. Service Providers and Contractors: CPRA imposes new obligations on service providers and contractors and requires specific contractual provisions when businesses share personal information with these parties.
  9. Exemptions: The CPRA extends certain exemptions, such as those for business-to-business (B2B) and employee data, but they are subject to conditions.
  10. International Data Transfers: The CPRA hints at future regulation regarding restrictions on cross-border data transfers, but the specifics have not yet been developed.

Businesses that fall within the scope of the CPRA need to ensure compliance by reviewing and updating their data protection policies, practices, and contracts. Consumers should be aware of their enhanced rights under this law and know how to exercise them.

Filed Under: law

New York Medical & Healthcare Debt Collection Agency

New York’s healthcare debt collection process has changed throughout the years. Doctors in NY have to deal with a high cost of living, burnout, regulatory challenges, insurance reimbursement issues and significant health disparities based on race, ethnicity, socioeconomic status, and other factors. Addressing these disparities can be a complex and challenging task.

Medical professionals continue to grapple with elevated levels of accounts receivable, impacting their profitability and sustainability. Most of these debts come from doctors, dentists and ambulance rides. Hiring a collection agency will de-stress your staff and give them time to focus on the core tasks for which they were hired in the first place.

Need a Medical Collection Agency in New York: Contact us

New York has its own set of laws that supplement the FDCPA. The New York City Department of Consumer Affairs enforces the city’s own debt collection regulations, which offer protections beyond the federal FDCPA.

Here are some key aspects of New York’s debt collection laws:

  1. Licensing Requirement: In New York City, all debt collection agencies must be licensed by the Department of Consumer Affairs.

  2. Statute of Limitations: In New York, the statute of limitations on debt varies depending on the type of debt. The statute of limitations for most consumer debts, such as credit card debt, is six years. Once this period has passed, the debt becomes “time-barred,” meaning the creditor or collector can’t successfully sue the debtor to collect the debt.

  3. Debt Validation: Debt collectors are required to validate the debt. If you request it, they must provide written verification of the debt.

  4. Communication: Collectors must respect consumers’ wishes about when and how to contact them. If you request in writing that a collector stop contacting you or contact you only through a lawyer, they must comply with this request.

  5. Harassment and Abusive Practices: Both the FDCPA and New York law prohibit debt collectors from harassing, oppressing, or abusing any person in connection with the collection of a debt.

  6. Unfair Practices: Debt collectors are prohibited from using unfair or unconscionable means to collect or attempt to collect a debt.

  7. Garnishment and Property Seizure: If a creditor obtains a court judgment against a debtor, they may be able to garnish wages or seize certain assets. However, New York law provides certain exemptions.

New York Medical and Health Care Debt Collection Statistics

Almost half of the country is in debt, with the majority of those unpaid balances coming from medical bills. The average unpaid medical debt balance averages out to about $580. A vast majority of New Yorkers (about 15%) have found that they have received emergency treatment within the course of a few months. However, around 7% of those patients are uninsured.

The 2016 report showed that 7% of patients between the ages of 19 and 64 are uninsured. While this number has seen a decrease in 2012, this number still negatively affects doctors and hospitals who find these patients have no immediate way to pay for their medical expenses. Eventually, these doctors will send off their unpaid accounts to a New York medical debt collection agency.

Problems Faced by New York Doctors and Hospitals

Even though doctors and hospitals can save face with their patients by sending them to collections, it still causes an imbalance in their business expenses.

Lack of payment can lead to staff cuts, longer hours, and debt of their own. Hospitals have tried to remedy this loss by cutting back on necessary medical equipment, staffing hours, and even payment. This can often lead to insufficient care from overworked doctors or lack of available services in lieu of proper medical equipment. Doctors have also realized that their salaries are being more narrowly negotiated because hospitals can’t afford to pay doctors at a higher wage if the patient debt is too large.

New York Debt Collection Medical Laws

Around 2006, New York set laws to protect patients from aggressive debt collection calls.

New York law also dictates that medical institutions and professionals must provide patients with the option for payment plans and/or alternative payment options.

The Statute of Limitations for New York is six years. This refers to the amount of time a medical establishment has to sue a patient for non-payment. The clock starts ticking the moment the patient receives their first bill and restarts after their most recent payment.

Medical debt still affects a patient’s credit score. Doctors typically do not personally sue their patients for unpaid bills, rather, they sell their unpaid patient expenses to a debt collection agency. The agency will contact the former patients for payment.

There are now strict rules against debt collectors about contacting patients for medical and health care debt collections. They cannot harass, bully, or contact patients in unethical manners to try to procure a form of payment. And according to The Atlantic, “New York and eight other states have passed comprehensive laws protecting patients from surprise billing.”

References:
thefinancialclinic.org/medical-debt-collection-know-your-rights/

https://www.credit.com/credit-scores/how-medical-debt-can-impact-your-credit-score/

https://www.commonwealthfund.org/publications/issue-briefs/2017/mar/insurance-coverage-access-care-and-medical-debt-aca-look

New York City