New York Proposes Extensive Data Security Regs for Financial Services Companies, Begins 45-Day Comment Period

New York State has released new proposed Cybersecurity Requirements for Financial Services Companies.  You can read the full proposal here.

According to the document, “the regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

Among the requirements are written policies and procedures that are regularly approved by the company’s Board, and cover the following:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and network monitoring
  9. Systems and application development and quality assurance
  10. Physical security and environmental controls
  11. Customer data privacy
  12. Vendor and third-party service provider management
  13. Risk assessment
  14. Incident response

Other requirements include:

  • the designation of a qualified Chief Information Security Officer
  • annual penetration testing
  • quarterly vulnerability assessments
  • maintenance of an audit trail
  • management of access privileges
  • annual review of application development security procedures
  • annual risk assessments
  • regular training of all cybersecurity personnel
  • policies and procedures addressing third party information security
  • a process requiring multi-factor authentication to access systems or data
  • policies and procedures for timely destruction of particular data

The proposal states that it would become effective in January 1, 2017, with the requirement for all Covered Entities to submit an annual Certification of Compliance with the New York State Department of Financial Services Cybersecurity Regulations starting January 15, 2018. There would be a 180 day transitional period from the effective date for Covered Entities to comply.

There is a 45-day comment period on the proposal.

New York Proposes Extensive Data Security Regs for Financial Services Companies, Begins 45-Day Comment Period
http://www.insidearm.com/daily/featured-post/new-york-proposes-extensive-data-security-regs-for-financial-services-companies-begins-45-day-comment-period/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

RevSpring Announces Free Webinar: Creating a Framework for Compliance and Ethics

WIXOM, Mich. – RevSpring’s next free webinar, Creating a Framework for Compliance and Ethics, will occur on September 20 at 2 p.m. EST. Attendees will learn about the critical steps necessary to ensure their organization remains compliant in the changing regulatory landscape. Topics covered during the webinar will include:

  • Developing board and management oversight
  • 8 elements for an effective compliance program
  • Response to consumer complaints
  • Conducting compliance audits

During this vital webinar, we’ll discuss:

  • Methods to Improve Company-Wide Oversight and Limit Deficiencies
  • Recent Changes in the Regulatory Environment

Agencies must recognize compliance is a 24/7 endeavor. We hope you’ll join RevSpring on September 20 to learn how you can protect your organization now, as well as in the future.

Click here to register or contact learnmore@revspringinc.com for more information.

About RevSpring
RevSpring facilitates over one billion customer interactions annually, serving more than 2,000 clients across the accounts receivables management, healthcare, home services, financial services, and other end-markets. Our diverse and expert solutions accelerate cash flow and improve ROI on time-sensitive consumer communications.

RevSpring’s billing and consumer communication platform allows you to receive payments faster with more connection options, including mail, web, text, and phone. Plus, we improve the design and distribution methods of your consumer communications to make your interactions more impactful, meaningful, and effective.


RevSpring Announces Free Webinar: Creating a Framework for Compliance and Ethics
http://www.insidearm.com/accelerate-revenue/creating-a-framework-for-compliance-and-ethics/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

RevSpring Announces Free Webinar: Creating a Framework for Compliance and Ethics

WIXOM, Mich. – RevSpring’s next free webinar, Creating a Framework for Compliance and Ethics, will occur on September 20 at 2 p.m. EST. Attendees will learn about the critical steps necessary to ensure their organization remains compliant in the changing regulatory landscape. Topics covered during the webinar will include:

  • Developing board and management oversight
  • 8 elements for an effective compliance program
  • Response to consumer complaints
  • Conducting compliance audits

During this vital webinar, we’ll discuss:

  • Methods to Improve Company-Wide Oversight and Limit Deficiencies
  • Recent Changes in the Regulatory Environment

Agencies must recognize compliance is a 24/7 endeavor. We hope you’ll join RevSpring on September 20 to learn how you can protect your organization now, as well as in the future.

Click here to register or contact learnmore@revspringinc.com for more information.

About RevSpring
RevSpring facilitates over one billion customer interactions annually, serving more than 2,000 clients across the accounts receivables management, healthcare, home services, financial services, and other end-markets. Our diverse and expert solutions accelerate cash flow and improve ROI on time-sensitive consumer communications.

RevSpring’s billing and consumer communication platform allows you to receive payments faster with more connection options, including mail, web, text, and phone. Plus, we improve the design and distribution methods of your consumer communications to make your interactions more impactful, meaningful, and effective.


RevSpring Announces Free Webinar: Creating a Framework for Compliance and Ethics
http://www.insidearm.com/accelerate-revenue/creating-a-framework-for-compliance-and-ethics/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

Ontario Systems Recognizes Radius Global Solutions Leadership with Second Annual Pinnacle Awards

Executives Steve Elliott, Steve Leckerman, and Michael Barrist will be honored September 21 at annual Ontario Systems user conference

MUNCIE, Ind. – Ontario Systems, a leading accounts receivable management (ARM) and healthcare revenue cycle management (RCM) software and services provider, announced today it would present Radius Global Solutions executives Steve Elliott, Steve Leckerman and Michael Barrist with its second annual Pinnacle Awards. The three receivables leaders will be on hand at PowerUp 2016, the company’s annual user conference, to receive the honor during the event’s opening session on September 21. The award is presented to individuals who have made outstanding and significant achievements in innovation, technology and leadership over the course of their careers.

“One of the major goals of our conference every year is to honor the visionaries in our industry who carry the torch,” says Ontario Systems CEO Ron Fauquher. “Steve, Steve and Michael have exhibited proven success in the ARM industry – their long history of growth and profitable operations proves it. I look forward to congratulating them on their decades of service in Indianapolis next week, as well as our other customers and partners who continue to thrive in a market that gets more complex and challenging each year.”

Elliot, Leckerman, and Barrist together have more than 75 years of experience in ARM leadership, and are all currently named as Managing Directors with Radius Global Solutions. Elliott serves as the company’s CIO, while Leckerman and Barrist define the business’s operative strategy and execution. The three formerly worked together to lead NCO Financial Systems, which eventually grew from a $10 million company with 140 employees into a multi-billion dollar multinational, and the largest player in the BPO and collection services industry.

“Each year, we offer Pinnacle Awards to members of our extended family of customers and valued partners who have made outstanding and significant achievements in innovation, technology and leadership over the course of their careers,” says Mike Meyer, Senior Director of Sales with Ontario Systems. “Steve, Steve and Michael individually are true forces in the collection industry – but it’s been truly inspiring to watch them master the art of seamlessly integrating strategy, technology and execution as a team. They have helped Ontario Systems adopt practices that have helped define success for many businesses in the receivables space.”

More details and registration information about PowerUp 2016 are available at http://powerup.ontariosystems.com. The conference runs September 21-23 at the Indianapolis Marriott Downtown.

About Ontario Systems

Ontario Systems, LLC is a leading provider of revenue cycle management (RCM) and accounts receivable management (ARM) software, services and solutions to the ARM, healthcare and government industries. Established in 1980 and headquartered in Muncie, Ind., Ontario Systems also has a location in Vancouver, Wash., and employees in 27 states. Ontario Systems offers a full portfolio of software, services and business process expertise, including product brands such as Artiva RM™, Artiva HC™, Contact Savvy®, Columbia Ultimate and RevQ. Ontario Systems customers include eight of the 10 largest ARM companies and five of the 15 largest hospital networks in the U.S. With Ontario Systems’ solutions, hospital network customers actively manage over $40 billion in receivables collectively.

Ontario Systems Recognizes Radius Global Solutions Leadership with Second Annual Pinnacle Awards
http://www.insidearm.com/daily/debt-collection-news/ontario-systems-recognizes-radius-global-solutions-leadership-with-second-annual-pinnacle-awards/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

Ontario Systems Recognizes Radius Global Solutions Leadership with Second Annual Pinnacle Awards

Executives Steve Elliott, Steve Leckerman, and Michael Barrist will be honored September 21 at annual Ontario Systems user conference

MUNCIE, Ind. – Ontario Systems, a leading accounts receivable management (ARM) and healthcare revenue cycle management (RCM) software and services provider, announced today it would present Radius Global Solutions executives Steve Elliott, Steve Leckerman and Michael Barrist with its second annual Pinnacle Awards. The three receivables leaders will be on hand at PowerUp 2016, the company’s annual user conference, to receive the honor during the event’s opening session on September 21. The award is presented to individuals who have made outstanding and significant achievements in innovation, technology and leadership over the course of their careers.

“One of the major goals of our conference every year is to honor the visionaries in our industry who carry the torch,” says Ontario Systems CEO Ron Fauquher. “Steve, Steve and Michael have exhibited proven success in the ARM industry – their long history of growth and profitable operations proves it. I look forward to congratulating them on their decades of service in Indianapolis next week, as well as our other customers and partners who continue to thrive in a market that gets more complex and challenging each year.”

Elliot, Leckerman, and Barrist together have more than 75 years of experience in ARM leadership, and are all currently named as Managing Directors with Radius Global Solutions. Elliott serves as the company’s CIO, while Leckerman and Barrist define the business’s operative strategy and execution. The three formerly worked together to lead NCO Financial Systems, which eventually grew from a $10 million company with 140 employees into a multi-billion dollar multinational, and the largest player in the BPO and collection services industry.

“Each year, we offer Pinnacle Awards to members of our extended family of customers and valued partners who have made outstanding and significant achievements in innovation, technology and leadership over the course of their careers,” says Mike Meyer, Senior Director of Sales with Ontario Systems. “Steve, Steve and Michael individually are true forces in the collection industry – but it’s been truly inspiring to watch them master the art of seamlessly integrating strategy, technology and execution as a team. They have helped Ontario Systems adopt practices that have helped define success for many businesses in the receivables space.”

More details and registration information about PowerUp 2016 are available at http://powerup.ontariosystems.com. The conference runs September 21-23 at the Indianapolis Marriott Downtown.

About Ontario Systems

Ontario Systems, LLC is a leading provider of revenue cycle management (RCM) and accounts receivable management (ARM) software, services and solutions to the ARM, healthcare and government industries. Established in 1980 and headquartered in Muncie, Ind., Ontario Systems also has a location in Vancouver, Wash., and employees in 27 states. Ontario Systems offers a full portfolio of software, services and business process expertise, including product brands such as Artiva RM™, Artiva HC™, Contact Savvy®, Columbia Ultimate and RevQ. Ontario Systems customers include eight of the 10 largest ARM companies and five of the 15 largest hospital networks in the U.S. With Ontario Systems’ solutions, hospital network customers actively manage over $40 billion in receivables collectively.

Ontario Systems Recognizes Radius Global Solutions Leadership with Second Annual Pinnacle Awards
http://www.insidearm.com/daily/debt-collection-news/ontario-systems-recognizes-radius-global-solutions-leadership-with-second-annual-pinnacle-awards/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

LiveVox Discusses How Technology is Simplifying Compliance and Performance Approaches to Vendor Management at DCS 2016

SAN FRANCISCO, Calif. – LiveVox Inc., a leading provider of cloud contact center solutions for enterprise operations, announ­­­­­­ced that it will join industry experts to discuss the impacts of technology on vendor management at DCS 2016 in Tucson, AZ.

On the panel, Dusty Whitesell, Chief Evangelist states, “The past few years have seen the creditor/issuer relationship focus almost solely on compliance, driving the costs of audits to new heights and pushing performance to the backseat. It was simply too hard, too costly, and too complicated to adapt multi-million-dollar contact center networks to this new regulatory driven environment. But that is no longer the case, technology such as cloud is providing plug-and-play solutions that are helping significantly lower the barriers to achieving the control, visibility, and performance insight needed to remain effective in an outsourcer relationship.  I look forward to discussing the impacts of these new capabilities with my fellow panelists and thank RMS for putting on another stellar event.”

LiveVox is a leader in providing risk mitigation tools that simultaneously address key compliance concerns while optimizing performance efficiencies.  LiveVox’s clicker application known as HCI (Human Call Initiator) and Phone Dial Attempt Supervisor (PDAS) are prime examples of how LiveVox is providing contact centers with a competitive advantage in a changing regulatory environment through innovation. To learn more, contact us at info@livevox.com

The panel will focus on the idea of technology providing additional control and visibility around vendor oversight. From remote access capabilities to analysis of calls, learn how call recordings and call analysis can be a key driver of your compliance oversight program. This session focuses on how technology can drive the discussion and the logistics of various vendor compliance initiatives.

About the event:

  • PANEL: Vendor Oversight – Using Technology Wisely
  • DATE/TIME: Thursday, September 14th, 2016 at 9:15am – 10:00am PT
  • PANELISTS:
    • Dusty Whitesell, Chief Evangelist, LiveVox, Inc.
    • Paul Kaloustian, Senior Vice President at Bank of America, Bank of America
    • Ken Evancic, Vice President, Resource Management Services, Inc.
    • Chris Straiter, Chief Compliance Officer, Sentry Credit, Inc.

About LiveVox, Inc.

LiveVox is a leading provider of cloud contact center solutions for enterprise operations.  Through a patented PCI-certified cloud platform and redundant IP/MPLS mesh, it delivers true multi-tenant, highly scalable and burstable contact center solutions such as ACD, Dialer, IVR, centralized call recording, business analytics and compliance suite. LiveVox enables fast deployment of contact center solutions from the cloud, while offering customers full control to manage their day-to-day business requirements in a cost-efficient way. For more information, visit www.livevox.com.

LiveVox Discusses How Technology is Simplifying Compliance and Performance Approaches to Vendor Management at DCS 2016
http://www.insidearm.com/daily/collection-technologies/collection-technology/livevox-discusses-how-technology-is-simplifying-compliance-and-performance-approaches-to-vendor-management-at-dcs-2016/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

LiveVox Discusses How Technology is Simplifying Compliance and Performance Approaches to Vendor Management at DCS 2016

SAN FRANCISCO, Calif. – LiveVox Inc., a leading provider of cloud contact center solutions for enterprise operations, announ­­­­­­ced that it will join industry experts to discuss the impacts of technology on vendor management at DCS 2016 in Tucson, AZ.

On the panel, Dusty Whitesell, Chief Evangelist states, “The past few years have seen the creditor/issuer relationship focus almost solely on compliance, driving the costs of audits to new heights and pushing performance to the backseat. It was simply too hard, too costly, and too complicated to adapt multi-million-dollar contact center networks to this new regulatory driven environment. But that is no longer the case, technology such as cloud is providing plug-and-play solutions that are helping significantly lower the barriers to achieving the control, visibility, and performance insight needed to remain effective in an outsourcer relationship.  I look forward to discussing the impacts of these new capabilities with my fellow panelists and thank RMS for putting on another stellar event.”

LiveVox is a leader in providing risk mitigation tools that simultaneously address key compliance concerns while optimizing performance efficiencies.  LiveVox’s clicker application known as HCI (Human Call Initiator) and Phone Dial Attempt Supervisor (PDAS) are prime examples of how LiveVox is providing contact centers with a competitive advantage in a changing regulatory environment through innovation. To learn more, contact us at info@livevox.com

The panel will focus on the idea of technology providing additional control and visibility around vendor oversight. From remote access capabilities to analysis of calls, learn how call recordings and call analysis can be a key driver of your compliance oversight program. This session focuses on how technology can drive the discussion and the logistics of various vendor compliance initiatives.

About the event:

  • PANEL: Vendor Oversight – Using Technology Wisely
  • DATE/TIME: Thursday, September 14th, 2016 at 9:15am – 10:00am PT
  • PANELISTS:
    • Dusty Whitesell, Chief Evangelist, LiveVox, Inc.
    • Paul Kaloustian, Senior Vice President at Bank of America, Bank of America
    • Ken Evancic, Vice President, Resource Management Services, Inc.
    • Chris Straiter, Chief Compliance Officer, Sentry Credit, Inc.

About LiveVox, Inc.

LiveVox is a leading provider of cloud contact center solutions for enterprise operations.  Through a patented PCI-certified cloud platform and redundant IP/MPLS mesh, it delivers true multi-tenant, highly scalable and burstable contact center solutions such as ACD, Dialer, IVR, centralized call recording, business analytics and compliance suite. LiveVox enables fast deployment of contact center solutions from the cloud, while offering customers full control to manage their day-to-day business requirements in a cost-efficient way. For more information, visit www.livevox.com.

LiveVox Discusses How Technology is Simplifying Compliance and Performance Approaches to Vendor Management at DCS 2016
http://www.insidearm.com/daily/collection-technologies/collection-technology/livevox-discusses-how-technology-is-simplifying-compliance-and-performance-approaches-to-vendor-management-at-dcs-2016/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

5th Circuit Rules Against Collector For Not Making Disclosures in Time-Barred Debt Case

Last week the 5th Circuit Court of Appeals ruled for the Plaintiff in Daugherty v. Convergent Outsourcing Incorporated; LVNV Funding, LLC, a case about what a collection letter did not say.

The decision can be found here.

Background

Plaintiff Roxanne Daugherty had accumulated $12,824 in credit card debt, and subsequently defaulted.  LVNV Funding purchased the debt from the creditor, and then hired Convergent Outsourcing to collect on its behalf. With interest, after many years the debt had increased to over $32,000. Convergent sent Daugherty a collection letter dated January 23, 2014, proposing a payment of $3,240.59 to “settle” a “past due balance of $32,405.91.” A fact not in dispute is that the debt was out of statute.

Approximately ten months later, on November 18, 2014, Daugherty filed suit against Convergent and LVNV, alleging violations of the FDCPA due to the use of false, deceptive, or misleading representations or means in connection with the collection of the debt, and by using unfair or unconscionable means to attempt to collect the debt. She claimed that the collection letter failed to disclose that the debt was not enforceable by law, that accepting a settlement would trigger tax liability, and that a partial payment would revive the statute of limitations on the full amount of the debt. She sought statutory damages of $1,000 and attorney’s fees and costs.

The Defendants moved to dismiss the suit, which was granted by the court, which ruled that the FDCPA permits a debt collector to seek voluntary repayment of a time-barred debt so long as the collector does not initiate or threaten legal action. The Plaintiff appealed.

The Appeal

The judge in this case noted that there is a conflict among circuits as to whether a collection letter offering “settlement” of a time-barred debt can violate the FDCPA if the collector does not disclose the debt’s unenforceability or expressly threaten litigation. The 3rd and 8th Circuits have said that no violation has occurred in these circumstances. The 6th and 7th Circuits have ruled that such circumstances do constitute a violation.

In the end, the judge agreed with the 6th and 7th Circuits. He referenced McMahon v. LVNV Funding, 776 F.3d 393 397 (6th Cir. 2015), which concluded that offers to “settle” are misleading to a “least sophisticated consumer” because “a gullible consumer who made a partial payment would inadvertently have reset the limitations period and made herself vulnerable to a suit on the full amount.” The 6th Cir. Judge also referenced the fact that the FTC and CFPB have argued that a debt collector collecting on time-barred debt “must inform the consumer that (1) the collector cannot sue to collect the debt and (2) providing a partial payment would revive the collector’s ability to sue to collect the balance.”

Accordingly, the 5th Circuit reversed the district court’s grant of Defendant’s motion to dismiss and remanded the case for further proceedings.

insideARM Perspective

The Court’s reference to the FTC and CFPB’s argument that debt collectors must disclose the status of a time-barred debt is interesting.

The CFPB’s Outline of Proposed Rules for debt collection, released in late July of this year, contemplates an explicit rule that the collector must provide a time-barred debt disclosure, and under what circumstances such a disclosure would be required.

Industry participants are concerned about such a requirement for a range of reasons, including the difficulty of calculating the date at which a debt will become out of statute. One issue raised is that this is information only the creditor can determine, and also that many unsophisticated creditors would be either unable or unwilling to provide this to the collector. This puts collection of not only already time-barred debt at risk, but also soon-to-be time-barred debt.

We reached out to Convergent Outsourcing for comment. Tim Collins, General Counsel, provided this statement,

“It used to be what you put in your letters that got you sued, today that has expanded to what you have not put in your letter. This creates infinite possibilities for plaintiff attorneys to sue collection agencies. Hopefully the final published rules from the CFPB will help to create some clarity as it relates to this issue but until the incentives are changed in the FDCPA, plaintiff lawyers will just find something else not in your letter to sue us on.”

5th Circuit Rules Against Collector For Not Making Disclosures in Time-Barred Debt Case
http://www.insidearm.com/daily/debt-collection-news/accounts-receivables-management/5th-circuit-rules-against-collector-for-not-making-disclosures-in-time-barred-debt-case/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

5th Circuit Rules Against Collector For Not Making Disclosures in Time-Barred Debt Case

Last week the 5th Circuit Court of Appeals ruled for the Plaintiff in Daugherty v. Convergent Outsourcing Incorporated; LVNV Funding, LLC, a case about what a collection letter did not say.

The decision can be found here.

Background

Plaintiff Roxanne Daugherty had accumulated $12,824 in credit card debt, and subsequently defaulted.  LVNV Funding purchased the debt from the creditor, and then hired Convergent Outsourcing to collect on its behalf. With interest, after many years the debt had increased to over $32,000. Convergent sent Daugherty a collection letter dated January 23, 2014, proposing a payment of $3,240.59 to “settle” a “past due balance of $32,405.91.” A fact not in dispute is that the debt was out of statute.

Approximately ten months later, on November 18, 2014, Daugherty filed suit against Convergent and LVNV, alleging violations of the FDCPA due to the use of false, deceptive, or misleading representations or means in connection with the collection of the debt, and by using unfair or unconscionable means to attempt to collect the debt. She claimed that the collection letter failed to disclose that the debt was not enforceable by law, that accepting a settlement would trigger tax liability, and that a partial payment would revive the statute of limitations on the full amount of the debt. She sought statutory damages of $1,000 and attorney’s fees and costs.

The Defendants moved to dismiss the suit, which was granted by the court, which ruled that the FDCPA permits a debt collector to seek voluntary repayment of a time-barred debt so long as the collector does not initiate or threaten legal action. The Plaintiff appealed.

The Appeal

The judge in this case noted that there is a conflict among circuits as to whether a collection letter offering “settlement” of a time-barred debt can violate the FDCPA if the collector does not disclose the debt’s unenforceability or expressly threaten litigation. The 3rd and 8th Circuits have said that no violation has occurred in these circumstances. The 6th and 7th Circuits have ruled that such circumstances do constitute a violation.

In the end, the judge agreed with the 6th and 7th Circuits. He referenced McMahon v. LVNV Funding, 776 F.3d 393 397 (6th Cir. 2015), which concluded that offers to “settle” are misleading to a “least sophisticated consumer” because “a gullible consumer who made a partial payment would inadvertently have reset the limitations period and made herself vulnerable to a suit on the full amount.” The 6th Cir. Judge also referenced the fact that the FTC and CFPB have argued that a debt collector collecting on time-barred debt “must inform the consumer that (1) the collector cannot sue to collect the debt and (2) providing a partial payment would revive the collector’s ability to sue to collect the balance.”

Accordingly, the 5th Circuit reversed the district court’s grant of Defendant’s motion to dismiss and remanded the case for further proceedings.

insideARM Perspective

The Court’s reference to the FTC and CFPB’s argument that debt collectors must disclose the status of a time-barred debt is interesting.

The CFPB’s Outline of Proposed Rules for debt collection, released in late July of this year, contemplates an explicit rule that the collector must provide a time-barred debt disclosure, and under what circumstances such a disclosure would be required.

Industry participants are concerned about such a requirement for a range of reasons, including the difficulty of calculating the date at which a debt will become out of statute. One issue raised is that this is information only the creditor can determine, and also that many unsophisticated creditors would be either unable or unwilling to provide this to the collector. This puts collection of not only already time-barred debt at risk, but also soon-to-be time-barred debt.

We reached out to Convergent Outsourcing for comment. Tim Collins, General Counsel, provided this statement,

“It used to be what you put in your letters that got you sued, today that has expanded to what you have not put in your letter. This creates infinite possibilities for plaintiff attorneys to sue collection agencies. Hopefully the final published rules from the CFPB will help to create some clarity as it relates to this issue but until the incentives are changed in the FDCPA, plaintiff lawyers will just find something else not in your letter to sue us on.”

5th Circuit Rules Against Collector For Not Making Disclosures in Time-Barred Debt Case
http://www.insidearm.com/daily/debt-collection-news/accounts-receivables-management/5th-circuit-rules-against-collector-for-not-making-disclosures-in-time-barred-debt-case/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management

It’s Phishing Season: How to Prevent Your Company from Getting Speared

David Newell

David Newell

Forbes magazine reported in May that “people are often the weakest link in the security chain.” The problem posed by contributors Steve Culp and Chris Thompson is that cyber criminals target fallible humans to get around investments in technical and physical security systems.

We recently heard a story that turns that idea on its head. Perhaps people can be the strongest link instead!?

Last month, a firm of about 150 employees was targeted with a spear-phishing attack (spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data). The attackers sent an email with a bogus invoice attached to nine different employees. Each phish was unique, with different text and filenames to evade detection, and the phishers personalized the messages with names and titles.

Unfortunately, one target, who works with invoices every day, didn’t realize this one was fake.

After clicking to open the Microsoft Word attachment, a malicious macro exploited a zero-day vulnerability (A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it.), which bore into the computer. With a foothold on the system, the attacker’s software reached out to “command and control” (C&C) servers (command and control (C&C) infrastructure consists of servers and other technical infrastructure used to control malware in general, and, in particular, botnets.) in four different countries to try to make a connection. Once connected, the code started downloading additional applications to the computer’s hard drive.

At this point, you can only imagine the worst happening: encrypted files being compromised on the victim’s computer and shared drives, hackers gaining access to customer credit card data – panic-evoking stuff! Instead, the attack abruptly stopped. A member of the IT team rushed into the victim’s office and unplugged the network cable.

The quick resolution wasn’t luck. The company had focused on security improvements over the previous year.

The firm brought in consultants to help design its security program, establish controls, scan its networks, put monitoring systems in place, update and patch, share training and awareness, and it ran through table-top exercises to test out its processes. It took hard work to reach the point where the company could quickly identify and contain an attack. One of its practices was now a “post-mortem” review, where the firm analyzes an event to learn and, when needed, make improvements. As a result, the company’s IT team mapped out the attack which we shared above.

The spear was carefully aimed.

Though only one person opened the malicious email attachment, the phish was targeted to nine different people at this firm. As it turned out, the nine names and titles came from one of many sites that harvests and sells personal information on the Internet. One name and title were incorrect in a unique way that made it clear which website was the source. An intriguing twist was that that site listed two additional employees who did not receive phishes. Both were members of the technology team. It appears the bad guys took the time to filter out IT staff who might be more likely to spot an attack.

The email messages all purported to deliver invoices, but each was slightly different. Each malicious attachment was also different. Those differences appear to have helped the malware bypass the firm’s gateway anti-malware. (The company switched products to add attachment sandboxing after this attack, and it updated its configuration standard to disable Word macros.) The team checked mail server logs to identify other recipients of the phishing attack, confirmed that none of the other eight had clicked the attachment, and removed the messages.

The firm’s intrusion detection system (IDS) didn’t detect the attack. Because the firewall blocked traffic to “risky countries,” it took several tries for the malware to find a C&C server it could reach. The firewall logged those attempts and successful connections to download more software to a centralized server but, like the IDS, the log monitoring software hadn’t registered an attack. The company’s anti-virus software only triggered on one of the additional malware downloads, reporting that the system had successfully quarantined a file.

How did IT (literally) pull the plug on this attack so quickly?

The person who opened the malicious attachment realized it was bogus and, instead of brushing it off or worrying about getting in trouble, quickly notified the IT department by following the protocol of submitting a trouble ticket via the company’s ticketing system and by personally finding an IT representative in the office. As a result, an IT staffer immediately checked the anti-virus logs and raced to the victim’s office.

Again, the swift response wasn’t luck. In addition to conducting annual awareness training sessions with all employees, each week, the firm’s IT team rotates a new “digital poster” with a simple security awareness message on every computer’s login screen. These reminders reinforce security practices that every workforce member should know. About 35% of the messages focus on reporting potential incidents to IT.

The secret to effective security reminders is three ingredients: simplicity, variety, and policy. For a little extra impact, add humor.

Make your reminders simple. Don’t use a lot of words. Deliver your message in five seconds as a worker logs in or walks down a hallway. Vary the backgrounds and format of your reminders, and rotate and refresh your reminders regularly. And mix in policy. That doesn’t mean you have to quote your policies, but consider the policies you want your workforce to follow and focus on the key policy statements that apply to everyone in your organization. Topics like good passwords, reporting possible incidents, protecting data, preventing loss or theft, and using encryption are examples. And, seriously, mixing in some humor, pop culture references, or unexpected formats (for example, haikus) can draw and keep attention. If you can get your workforce to look forward to your next information security awareness message, they are paying attention.

How should you deliver awareness messages? Continuously rotate new messages on digital signage platforms. Print small posters and place them on bulletin boards and cubicle walls. Place digital images on login screens, backgrounds, or screen savers. Send reminders by email. Post them on your intranet.

When the company completed its post-mortem review after the attack we’ve described, they reasoned that the critical control that stopped this attack quickly was an awareness poster. A person paying attention to reminders had halted an attack that two anti-virus systems, IDS, a firewall, logging, scans, and patching couldn’t stop.

People can be the strongest link in the security chain!

Additional contributions by L Kristopher Meier, President, Station 28, LLC, and Edward O’Keefe, Director of Application Development, ABC-Amega, Inc.

It’s Phishing Season: How to Prevent Your Company from Getting Speared
http://www.insidearm.com/opinion/its-phishing-season-how-to-prevent-your-company-from-getting-speared/
http://www.insidearm.com/feed
insideARM

Accounts Receivable Management