Data Security Slow to Win ARM Industry Attention

A security breach or a loss of consumer information could have huge consequences for a debt purchaser or collection agency but many ARM firms have yet to prepare for such an event, according to a provider of security systems that serves the industry.

“The interest is heightened but the activity is not. Unfortunately it may take a couple of breaches (in this industry) before action occurs,” said David Mertz, chief operating officer of Compliance Management Partners, a data security consulting firm that provides audits and other services to guard against breaches.

Just this month, card issuer GE Money reported it had lost a computer tape, possibly compromising personal information on 650,000 customers of JCPenney and about 100 other merchants. The tape held Social Security numbers of as many as 150,000 customers.

Mertz predicts that debt buyers especially, but also some collection agencies, will begin this year to address the threat of a loss of personal identification information of consumers.

A security breach can be extraordinarily expensive, require company resources to address, and possibly end the long term viability of the affected firm.

Retailer T.J. Maxx last year took a $118 million charge for the breach of at least 46 million cards that began in July, 2005. Card processor CardSystems never recovered from the loss of as many as 200,000 card accounts in 2005 and was bought by biometric payments house Pay By Touch.

Preventing a breach requires an investment but that is typically cheaper than the cost in time and money to repair a breach after the fact, said Mertz.

The Federal Trade Commission is the primary federal regulator overseeing consumer data security. It requires those firms that store, process and/or transmit personal identity information to manage the information, protect it from unauthorized access, and provide consumers an opportunity for redress if the data is compromised. If a firm fails to meet these standards, the FTC can impose fines and penalties and implement a 20-year oversight program, notes Mertz.

The Payment Card Industry (PCI) security guidelines are coming to the fore as a standard for firms in the payments industry, according to Mertz. The guidelines must be met by any firm that accepts a credit card for payment, and by firms that store card information.

Some ARM firms contend they aren’t impacted by PCI because they hold credit card information on accounts that have been closed, so the numbers are no longer valid. That argument didn’t work for T.J. Maxx, said Mertz, when it said it shouldn’t be held liable for stolen card accounts that had been closed.

The PCI Security Standards Council, made up of such firms as Visa and American Express, disagreed with the retailer’s contention. Last year, TJX Co., the retailer’s parent, agreed to pay $41 million to Visa-member banks impacted by the breach.

Lenexa, Kan.-based Compliance Management Partners offers a variety of services to firms seeking to ensure their data is secure and that they meet such industry guidelines as PCI, SAS 70 and ISO 17799. Fees depend on the size of the firm, said Mertz.

Compliance Management will perform an assessment of a company’s data security system for $5,000 to $15,000, conduct a full security audit, and put together a remediation plan. For a fee of $2,500 to $5,000 a month it will act as a firm’s information security officer, said Mertz.

"It’s important that companies take a proactive approach. (The ARM industry is) in the early awareness phase, but not in the activity phase,” said Mertz. “That will change this year as issuers require information security from the firms they sell to,” he said.