Thursday, February 28, 2008

Beware of "zombie debt" -- you may not owe it

ABC “Good Morning America” on Feb. 28 carried a brief story on “zombie debt.” This refers to a practice of banks selling very old uncollected debts to collection agencies (often they will sell a $1000 debt for about $100) and then the debt collectors pursue the consumers aggressively, and get to keep the profit. This sort of business is distinct from more common debt collection practices, where the creditor owns the debt and the debt collecting company (and sometimes individual collection employee) earns a “commission” on the collection once it is actually paid.

According to the ABC story, most states have statutes of limitations on debts, and it is illegal to post a overly aged but previously unknown debt on a credit report. However, many consumers do not know this. Some practices of these companies would violate both the Fair Credit Reporting Act and the Fair Debt Collection Practices Act.

I had an episode like this. In February of 2000, while living in Minneapolis, I decided to pursue the idea of buying a house. I pulled a credit report by mail (it was not as automated yet and the laws requiring annual free reports were not yet in effect) and found a “bed debt” for a $17 Discover Card charge, that had compounded to $45 back from 1994, and a Chase debt of $625 that belonged to a credit agency in New York City. I went ahead a settled with Discover myself for the $17 (it had been a card renewal charge that got lost when I moved, and then I dropped the card), and they removed the item. Then I called the collection agency about the Chase. They claimed that I had taken the card out in 1980, and the debt principal had been $129. They claimed it had belonged to Chemical Bank, which has since been bought. It is true that I probably did have a Chemical Visa in the 1980s. They also claimed that they had mailed the debt to my 11th Street address in New York City. Well, I had moved to Dallas in January 1979, so the timing of the events did not make sense. It is possible that a debt had been lost in the moves. Yet, I bought condos in 1980 and again in 1984, and it did not show up on mortgage credit reports. My employer then, Chilton Corporation (ironically a credit reporting company in Dallas, since bought by TRW and now known as Experian) did security credit checks on all its employees in 1987, and the debt did not turn up then, even if lost. I would have settled if it had. So, why now?

The New York City collection agency became very belligerent and threatened to sue me. Because the mortgage company in Minnesota said that this would have to be settled for me to pursue a house, I paid it. But it looks now like this was illegal. The credit reporting companies should not have reported an item that old, and apparently I could not have been held responsible for the money. Even the Minnesota mortgage company should have known that.

I even wonder if old assumed mortgages (unqualified or “subject-to” assumptions) before the 1990s could come back as “zombie debts.”

ABC also indicated that many times the charges are fraudulent, and related to identity theft, which, even when cleared, come back as “zombie debt.”

To add to the irony, I worked as a debt collector myself in Minnesota in 2003 for a while before moving back to the East, for a company called RMA. But I did not work on any line of business like this. Another “interesting” line of business is medical collections. When a collector calls a debtor, he or she starts with a “mini-miranda” statement.

The ABC link is here.
The story is called "Zombie Debt: The Bills That Won't Die: One Woman Sued to Stop the Harassing Phone Calls."

Saturday, February 23, 2008

Employers have to be much stricter about access to customer data

Businesses and governments alike are having to pay much more attention to employee access of customer personal information, and make sure that access takes place only for immediate business (such as customer service) purposes.

An AP story Feb. 23 by Ryan J. Foley, "Worker snooping on customer data common," discusses problems at a Wisconsin utility. The link is here. While many of the concerns expressed in news stories like this involve customer service workers, another concern would be how companies do their systems testing. Companies often do Quality Assurance and user acceptance testing by building QA test regions based on extracts of production data, often with software utilities designed to do just that. That means that IT employees may have considerable "exposure" to production data. Sometimes employees keep copies of test results just to prove that their systems work properly, but this could lead to increased risk of privacy compromise in the long run, and could violate privacy laws (like HIPAA).

Another important AP story by Frederic J. Frommer, "Report: Identity theft efforts lacking," is critical of the ability of government agencies to protect private data. The link is here. In some cases, local governments have posted sensitive data on the Internet, but have removed the data since.

Telecommuting, employees working at home with their own computers or with laptops brought home from work, as well as taking work home, also increases the risk of compromise. In a couple of cases, laptop computers have been stolen from employee homes during burglarize, leading to potential compromises.

Tuesday, February 19, 2008

Middle school demonstration on identity protection

Today, Saturday Feb. 9, 2008, the Arlington VA Police Department and Sheriff’s Department had a community safety forum at the newly rebuilt Kenmore Middle School, with auditorium programs on Internet safety for parents and teens, and especially consumer identity protection.

The Arlington police department did a demonstration on how bank card skimmers work at ATM’s. One piece of advice was to limit the use of debit cards online and use credit cards instead.

The identity issue has led even to fraudulent mortgages and auto loans. I asked why lenders do not do more due diligence on identifying customers, and the answer was “good question.” The officer went on to say that “loss prevention” is usually the first to cut employees in an economic downturn. Lenders work on the basis of short-term profit and it is hard to incentivize them to protect consumers for the longer term. The subprime crisis was mentioned as an example. Again, lenders do not have a single system set up to enable them to identify consumers reliably in a cost-effective manner, at least without triggering privacy concerns known from airline security issues and 9/11.

I also asked if identity problems led to false prosecutions, especially after hacker activity (related to c.p. or zombies and DOS attacks) and they indicated that actual wrongful prosecutions are very rare.

On CNN this afternoon, there was an ad for (I'm not adding the link because McAfee gives the site a yellow, claiming that the site sells something that should be available for free -- feel free to check this out yourself), that suggested that, without it, any person could wind up serving fish and tartar sauce in T-shirts for the rest of his life (it used a fast food place for that effect). It was a rather offensive ad.

(Note: This posting was originally made on Feb. 9; it was deleted and re-added to give the posting a correctly formatted title.)