Global Asset Research & Recovery

Global Asset Research & Recovery

Global Asset Research & Recovery

Identity Theft Prevention Program

Purpose

The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program in compliance with Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.

Definitions

Covered account means:

1. An account that a creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Covered accounts include utility accounts; and

2. Any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.

Credit means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.

Creditor means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

Identifying information is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, Social Security number, date of birth, government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s Internet Protocol (IP) address, or bank routing code.

Identity theft means fraud committed or attempted using the identifying information of another person without authority.

Red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft.

SECTION 1:BACKGROUND

Although it is not yet clear if third-party collection agencies and debt buyers are defined as “creditors” for the purposes of compliance/enforcement, Global Asset Research & Recovery of Westminster, California has elected to take a proactive approach to compliance by adopting its Identity Theft Prevention Program Policy.

Global Asset Research & Recovery purchases debt and proceeds with the collection/enforcement of a court ordered debt. Although we do not extend any new credit, we may engage in a voluntary payment plan with the debtor should certain criteria be meet and agreed to by both parties. A debtor agreeing to pay such debt clearly acknowledges not only the debt but also the identity of the debtor of being true and valid. Because of this acknowledgement and agreement, we believe Global Asset Research & Recovery would be a low risk business for identity fraud.

It is also Global Asset Research & Recovery strict policy to perform due diligence searches to ensure the correct debtor has been located and/or confirmed prior to executing any form of collection and/or enforcement of a court ordered debt. This policy will define sensitive information and the security of safeguarding such data reducing and/or eliminating the risk of identity theft.

SECTION 2:PURPOSE

Global Asset Research & Recovery of Westminster, California adopts this sensitive information policy to help protect Global Asset Research & Recovery, its owner(s), employee(s), clients from damages related to the loss or misuse of sensitive information. The Program shall include reasonable policies and procedures to:

  1. Define sensitive information;
  2. Describe the physical security of data when it is printed on paper;
  3. Describe the electronic security of data when stored and distributed.
  4. Place Global Asset Research & Recovery in compliance with state and federal law regarding identity theft protection.
  5. Ensure the Program is updated periodically to reflect changes in risks to clients/customers and to the safety and soundness of the creditor from identity theft.

The program shall, as appropriate, incorporate existing policies and procedures that control reasonably foreseeable risks.

SECTION 3:SCOPE

This policy and protection program applies to all owner(s), employee(s), temporary workers and any other workers of Global Asset Research & Recovery.

SECTION 4:POLICY

(a)SENSITIVE INFORMATION POLICY

1. Definition of Sensitive Information

Sensitive information includes the following items whether stores in electronic or printed format:

(a)Credit Card information, including any of the following:

  • Credit Card number (in part or whole)
  • Credit Card expiration date
  • Cardholder name
  • Cardholder address
  • Credit Card verification code

(b)Tax Identification number, including but not limited to:

  • Social Security Number
  • EIN Number

(c)Other personal information belonging to any customer/debtor, employee or third party collection agency, examples might include but not limited to:

  • Date of birth
  • Driver License Number
  • License Plate Number
  • Address
  • Phone numbers
  • Customer/Debtor maiden name
  • Customer/Debtor names

(d)Global Asset Research & Recovery owner(s), employee(s), … are consistently reminded to use common sense judgment in securing confidential information to the proper extent. Furthermore, this section should be read in conjunction with the California Public Records Act. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor.

2. Hard Copy Distribution

Each employee that provides services for covered account customer/debtor will comply with the following policies:

(a)File cabinets, desk drawers, overhead cabinets, and any

other storage space containing documents with sensitive information will be locked when not in use.

(b)Storage rooms containing documents with sensitive information and record retention areas will be locked at the end of each workday or when unsupervised.

(c)Desks, workstations, work area, printers and fax machines along with common shared work areas will be cleared of all documents containing sensitive information when not in use.

(d)When documents containing sensitive information are discarded they will be placed inside a locked shred bin or immediately shredded.

(e)Any sensitive information shipped using outside carriers or contractors will be encrypted and an inventory of the information being shipped will be kept. It will be shipped using an overnight shipping service that will allow tracking of the delivery of this shipment.

3. Electronic Distribution

Each employee that provides services for covered account customer/debtor is required to comply with the following policies:

(a) Any sensitive information sent internally or externally should be

Encrypted and password protected and only to approved recipients. Additionally, a statement such as this should be included in the email:

“This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.”

4. Security of Electronic Records

(a)Anti-virus and anti-spyware programs will be run on individual computers and on servers on your network daily.

(b)When credit card information or other sensitive financial data is received or transmitted, use Secure Sockets Layer (SSL) or another secure connection that protects the information in transit.

5. Password Management

(a)Access to sensitive information will be controlled using “strong” passwords.

Strong passwords should include a mix of letters, numbers and other characters

(if possible).

(b)User name and passwords will be different.

(c)Passwords will not be shared or posted near workstations.

(d)Password activated screen savers will be used to lock employee computers after a period of inactivity.

(e)When installing new software, immediately change vendor supplied default passwords to a more secure strong password.

6. Firewalls

(a) Use a firewall to protect your computer from hacker attacks while it is connect to the

Internet. A firewall is a combination of hardware and software which limits the exposure of a computer or group of computers to an attack from outside

6. Disposal of Computers and Portable Storage Devices

(a)When disposing old computers and portable storage devices, a complete formatting of any hard drive must be done prior to discarding or retiring old computers or other portable storage devices.

(b)Any compact disc (CD or DVD) will be disposed of by shredding or punching holes throughout the CD or DVD before discarding.

SECTION 5:ADDITIONAL IDENTITY THEFT PREVENTION PROGRAM POLICY

Additionally, the Identity Theft Prevention Program Policy includes the detection, prevention and mitigation of “Red Flags” in connection with existing covered accounts.

(a)Red Flags

  1. The following red flags are potential indicators of fraud. Any time a red flag or situation closely resembling a red flag is apparent, an immediate investigation will be performed.
  • Alerts, notifications, or warnings from a consumer or credit-reporting agency, such as fraud detection services.
  • A fraud or active duty alert included with a consumer or credit report
  • A notice of credit freeze from a consumer or credit-reporting agency in response to a request for a consumer or credit report.
  • Report of deceased social security number with a consumer or credit report.

Mitigation for items 5(a)(1) – Additional in-house investigative research will be completed if client/debtor does not voluntary acknowledge debt. Investigative research may include asking client/debtor to verify information with supporting documentation, if necessary.

(b)Suspicious Documents

  • Identification document or card that appears to be forged, altered or inauthentic;
  • Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
  • Other document with information that is not consistent with existing customer information (such as if a person’s signature on a check appears forged); and
  • Application for service that appears to have been altered or forged.
  • A lease or rental agreement appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
  • Pay stubs or other income verification that appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Mitigation for items 5(b) – Ask client/debtor to provide either original documents or better copies to ensure all suspicions are removed. If you are still concerned about the validity of those documents, a notarized document may be requested.

(c) Suspicious Personal Identifying Information

  • Identifying information presented that is inconsistent with other information the client/debtor provides (example: inconsistent birth dates);
  • Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on the credit report);
  • Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
  • Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);
  • Social Security number presented that is the same as one used by others.
  • An address or phone number presented that is the same as that of another person;
  • A person fails to provide complete personal identifying information on an application when reminded to do so (however, by law social security numbers must not be required); and

Mitigation for items 5(c) – Ask client/debtor to provide either original documents or better copies to ensure all suspicions are removed. If you are still concerned about the validity of those documents, a notarized document may be requested.

SECTION 6:RESPONDING TO RED FLAGS

Once potentially fraudulent activity is detected, an employee must act quickly since a rapid response can protect the consumer and Global Asset Research & Recovery from damages or loss.

  1. Follow the recommended Mitigation instructions listed with the Red Flags.
  2. If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include:
  1. Canceling, closing the transaction/file.
  2. Notifying and cooperating with appropriate law enforcement.
  3. Determining the extent of liability of Global Asset Research & Recovery; and
  4. Notifying the actual consumer that fraud has been attempted.

SECTION 7:UPDATING THE PROGRAM

  1. Changes in methods of identity theft;
  2. Changes in methods to detect, prevent and mitigate identity theft;
  3. Changes in the business arrangements of the organization, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.
  4. As part of the review, red flags may be revised, replaced, or eliminated. Defining new flags may also be appropriate.

SECTION 8: ADMINISTRATION OF PROGRAM

  1. Petra Alluis of Global Asset Research & Recovery shall be responsible for the development, implementation, oversight and continued administration of the Program.
  2. The Program administrator shall train staff, as necessary, to effectively implement and maintain the Program.

Staff Training

  1. Staff training shall be conducted for all employees for whom it is reasonable foreseeable that they may come into contact with accounts/files or personally identifiable information that may constitute a risk to Global Asset Research & Recovery.
  2. Employees will receive training in all elements of this policy. To ensure maximum effectiveness, employees may continue to receive additional training as deemed necessary by the Program Administrator.

Oversight of Service Provider Arrangements

Service Providers used by Global Asset Research & Recovery retained to perform an activity in connection with one or more accounts/files will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:

  1. Require a service providers have such policies and procedures in place; and maintains its own Identity Theft Prevention Program Policy, consistent with the guidance of the red flag rules and validated by appropriate due diligence.

This policy will take effect immediately upon signing. This policy will be reviewed every 2 years or as deemed necessary by the Program Administrator.

This Program has been approved by:

______

Petra Alluis

Owner of Global Asset Research & Recovery and Program Administrator

______

Date

Identity Theft Prevention Program

Global Asset Research & Recovery

ConfidentialPage 1 11/22/2018 1

Top View