In our computer tech business environment, it is not uncommon to see a field agent pull their recovery vehicle into a business parking lot and use the “FREE WI-FI” to perform actions on their laptop, notebook or smart phone. The use of the “FREE WI-FI” network is perceived to speed up the process and save money in communication costs.
But when field agents use this type of “FREE WI-FI” every agency owner should ask themselves, “Is this a safe and compliant action or does the use of “FREE WI-FI” networks place protected consumer data and agency information at risk?”.
One of the conveniences of our modern world is the “FREE WIRELESS INTERNET CONNECTION” which is now offered by various businesses for use by their customers. This “FREE WI-FI” connection can be especially useful for your field agents who want to continue working or otherwise stay connected to your agency network via their laptops, notebooks or smart phones.
Many agency owners, managers and compliance officers do not realize the inherent security risks when using public WI-FI connections and the unintended consequences related to data security compliance requirements.
Once this issue is brought to attention and appropriate agency personnel becomes aware of the compliance concerns, it is fairly easy to take precautions to prevent the field agent’s use of public WI-FI from becoming a potential security hazard.
The recovery agency’s main concern with public WI-FI is the danger of transmitting GLBA protected non-public personal information through the air in an unprotected environment. Unlike protected WI-FI networks, public ones are by definition open to the general public. Anyone can join a public WI-FI network, regardless of how trustworthy or untrustworthy they are to other network users. As such, these networks are generally not encrypted, or if they are, the key is widely available, preventing the encryption from providing any real protection.
Normally, recovery agency computers connected to a WI-FI network only process data intended for that computer. However, due to the nature of wireless communications, common devices are capable of receiving data intended for any computer on the network. Using special software, it is possible—and common—to go to a location with public WI-FI, and passively look at other people’s network traffic, in hopes of obtaining valuable and non-public personal information such as a consumer’s social security number, date of birth, residence and business address, as well as other valuable and useful credit details.
Agency owners should be aware of another concern that, while not as big of a risk, is still important to be aware of. That risk is the lack of trust in the owner of the network. Even if your field agent is at a coffee shop that’s part of a major chain, the owner or manager of the store may not be trustworthy. An unscrupulous network owner has the ability to modify any network traffic going through his or her network, performing a type of man-in-the-middle attack.
So what can an agency owner or compliance officer do to protect critical consumer data?
Here are a few suggestions to insure data protection compliance.
One very simple precaution that will provide adequate protection from both of these issues is to always use encrypted protocols while on any type of public WI-FI networks, such as HTTPS. If your field agents see “https://” at the beginning of a URL (note the ‘s’), they will know anything they do on that site is as safe from prying eyes as it would be on a private network. Also if someone attempts to perform a man-in-the-middle attack and intercept or modify the information as it is sent, the browser should detect that and display an easy to spot warning.
Email that uses encryption (such as TLS) is also another safe harbor for transmitting protected consumer data and field reports.
It is extremely important that If you, as an asset recovery agency owner, manager or compliance officer, desire to ensure that a field agent’s use of “FREE PUBLIC WI-FI” does not violate consumer data protection laws and become a major issue. It is your responsibility to install an encrypted VPN and require all that employees use that that system when they are off agency premises.
By utilizing an encrypted VPN, you can demonstrate to your clients and any system auditor that you are aware of the requirements to protect consumer data and that your recovery agency has taken appropriate precautions to reasonably ensure that all consumer protected data provided by your clients and entered in the network traffic will be safe from hackers and prying eyes.
Ron L. Brown MCE, IFCCE, CARS, MPRS, CFA
Eagle Group XX