Debt collectors: next weak link for data security?

NetworkWorld has two interesting articles about the information debt collectors have access to and the risks posed by this concentration of data.

Call it the second wave of data breaches. The first wave were compliments of massive aggregators experiencing major data breaches (Choicepoint, Acxiom, Lexis-Nexis) and briefly putting the issue of data security on the map, before it faded away in the collective consciousness again. These companies, until recently having no direct consumer facing operations and dealing only in B2B markets, were forced into the limelight for their 15 minutes of infamy/congressional grilling. Nothing quite encourages better security as public scrutiny. But the data aggregators much like the credit reporting bureaus essentially constitute an oligopoly immune to competition. Much as consumers have no choice in opting out of having their credit history collected by the “triumvirate” (Equifax/TransUnion/Experian) they have no meaningful choice over having their information compiled and commoditized. In fact owing to the lack of anything comparable FCRA, there is even less accountability with data providers. Given this lack of economic incentives, it remains to be seen if the security lock down and public floggings after the data breaches will have any effect. Meanwhile the Network World article draws attention to debt collectors— who often receive their data from the major brokers and often end-up spreading it around n the name of tracking down missing payments– as the next problem spot. Quote:

“As IT director for a medium-sized collection agency, I can tell you that there are indeed many large databases out there that we use for ‘skip tracing’. . . [and] anybody posing as a business can get access to them.”

“So what information can be acquired? […] Social Security numbers, known accounts (but not account numbers), known aliases, all of present and past addresses, the names of people living near the debtor (known as “nearbys”), people in the same town with the same last name (known as “possibles” as they might be related to the debtor), companies having made recent queries against the debtor’s credit and recent employers.”

The earlier article by the same author establishes the position of debt collection agencies as the downstream beneficiaries from the main artery of information flow. Barriers to entry are remarkably low:

It turns out pretty much anyone can set up a collections operation by buying a package of bad debts for around $40,000, hiring collectors who will work on commission, and applying for the appropriate city and state licenses. Once a company is set up it can buy access to Axciom and Experian and other databases and start hunting down defaulters.

There is a circularity to all of this. Defaults may be one of the expected consequences of easy credit. That credit is made possible only by the massive databases that allow any business anywhere in the country to make a decision within minutes about the creditworthiness of any customer that walks in the door. Proponents justify the existence of data collection and mining operations by that one benefit: a portable “reputation score” that travels with the individual, attached to their social security number and unlocking doors at every step– such as the doors to a new home or a new car. The information no doubt is important for efficient functioning of the system; the subprime debacle showed what happens when lending decisions are made without regard for credit rating. (Oddly enough in that case the easy access to information made no difference; since the mortgage was getting securitized with an over-inflated rating, the lenders had no incentive to check on the odds of payment.) When debt collection agencies purchase and share that data, they are trying to solve a problem that would not have existed unless extensive credit data were available in the first place to make bad lending decisions an endemic problem.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s