Section 649.NEW - [Newly enacted section not yet numbered] [Written security policy for collection agents working remotely]1. A collection agency shall develop and implement a written security policy for collection agents who work from a remote location to ensure that the data of debtors, customers and the collection agency is secure and protected from unauthorized disclosure, access, use, modification, duplication or destruction. The security policy must include, without limitation:(a) Access to the technological systems of the collection agency through a virtual private network or other similar network or system which:(1) Utilizes multifactor authentication, data encryption and frequent password changes; and(2) Automatically locks a collection agent out of his or her account if suspicious activity is detected;(b) A procedure to immediately update and repair any security network or system to ensure that current security technologies are utilized;(c) A requirement to store all data of debtors, customers and the collection agency on designated drives that are safe, secure and expandable;(d) A requirement that collection agents work on electronic devices that are secured with software and hardware protections including, without limitation, antivirus software and a firewall;(e) A requirement that collection agents access any system of the collection agency through an electronic device that has been issued by the collection agency and a prohibition on using such an electronic device for personal purposes;(f) A procedure for the containment and disclosure of any breach of data that occurs, including, without limitation, the issuance of any disclosure that is required by law;(g) A procedure for the protection of data during a natural disaster or other emergency that has the potential to impact the data or electronic devices of the collection agency at a remote location and the recovery of data after such a natural disaster or other emergency;(h) A procedure for the secure disposal of data in accordance with any applicable law or contract;(i) A procedure for conducting an annual risk assessment concerning the protection of the data of debtors, customers and the collection agency and a plan to implement new policies based on the results of the risk assessment; and(j) Procedures to: (1) Prevent a former collection agent from accessing any system of the collection agency; and(2) Remotely disable or remove all data from an electronic device owned by the collection agency at the remote location.2. A collection agency that complies with the requirements of 16 C.F.R. Part 314 satisfies the requirements of this section.Added by 2023, Ch. 534,§9, eff. 10/1/2023.