On 15 February, Washington State finalized its permanent work from home rules for the collection industry. They are effective immediately, and require collection agencies licensed in Washington to take certain actions.
You can read the Washington Work From Home rule here: AMENDATORY SECTION (Amending WSR 01-11-132, filed 5/22/01, effective 6/22/01)
There are several areas that collection agencies licensed in Washington State should focus on listen below. Following the list, I'll share some additional information shared with insideARM by Kevin Underwood, an attorney at Linebarger Goggan Blair & Sampson, LLP; as well as a member of Rulemaking Committee created under the Washington State Collection Agency Board.
1) Keeping a list of all employees who are authorized to work from home.
2) Keeping a list of all company equipment in the homes (or other virtual office space) of WFH employees.
3) Remote Work Agreements, which include (taken directly from the regulation):
(a) While working remotely, the employee must agree to maintain confidentiality of consumer data, must maintain all collection agency data electronically and may not print hard copies or otherwise repro-duce copies of collection agency data.
(b) The employee must read and agree to comply with the licen-see's IT security policy and any updates.
(c) Employee must agree to maintain the safety and security of licensee's equipment at all times as more particularly described by the licensee.
(d) An employee must review a description of the specific type of collection work the employee or class of employee is allowed to perform while working from their virtual office.
(e) The employee must agree not to disclose or convey to the con-sumer that the employee is working from a virtual office or that the virtual office is a place of business.
(f) An employee must be advised that the employee's collection agency activities are subject to review and calls to and from the virtual office will be monitored and recorded.
4) Virtual office requirements, which include (taken directly from the regulation):
(a) It must have full connectivity with the licensee's business office systems including computer networks and phone system and must provide the licensee the same level of oversight and monitoring capacity as if the employee were performing their activities in the business office.
(b) It must have the capability to record calls made to and from the virtual office and to monitor virtual office calls in real time.
(c) It must be located within the United States and, within one hundred miles of the licensee's business office.
(d) It must be in a private location where the employee can maintain consumer confidentiality during the performance of their collection activities.
(e) It must meet all security requirements of this section and contain the equipment necessary to conduct the licensee's work safely and efficiently.
(f) Each employee shall be connected to the business office via a virtual office that requires unique credentialing for access by each employee.
(g) No more than one employee may work from a virtual office from the same physical location, except that cohabitating employees may each maintain a virtual office from their shared residence.
(h) Employees may not print or store physical records in the employee's virtual office.
5) Employee requirements to work from home (taken from the regulation):
(a) To become eligible to work from a virtual office, the employee must have completed a training program at the licensee's business office, which covers topics including compliance, privacy, confidentiality, monitoring and security, and other issues that apply particularly to working remotely from a virtual office.
(b) In addition, an employee must complete a minimum of forty-five days of direct oversight and mentoring in the licensee's business office prior to working from a virtual office. This requirement may be waived by the board under emergency circumstances that the board has determined makes it impossible to perform.
(c) Once an employee begins to work from a virtual office, they must be subject to the same levels of communication, management, over-sight, and monitoring via telecommunications and computer monitoring as they would if working in the business office.
(d) While working remotely the employee must comply with all applicable laws and regulations as outlined in chapters 19.16 and 18.235 RCW and chapter 308-29 WAC.
6) IT Security Policy requirements (taken from the regulation):
(a) Virtual office access to the collection agency's secure system must be through the use of a virtual private network "VPN" or other system that requires usernames and passwords, frequent password changes, authorization, multifactor authentication, data encryption, and/or account lockout implementation.
(b) The immediate installation or implementation of any system updates or repairs in order to keep information and devices secure.
(c) The provision of safe and secure storage with expandable capacity for all electronic data including consumer and licensee data.
(d) Virtual offices must contain computers and/or other electronic devices that have secure computer configurations and reasonable security measures such as updated antivirus software and firewalls.
(e) Access to licensee's systems must occur on company-issued computers and electronic devices whose use is restricted to authorized employees while working at their virtual office, and an employee's use of devices must be limited to employment related activities on behalf of licensee.
(f) Consumer data is accessed securely through the use of encryption or other secure transmission sources.
(g) An action plan has been developed and communicated with relevant employees on how to handle a data breach arising from remote access devices in accordance with applicable laws, which shall include any required disclosures of such breach.
(h) A disaster recovery plan has been developed and communicated with relevant employees on how to respond to emergencies (e.g., fire, natural disaster, etc.) that have the potential to impact the use and storage of licensee's data.
(i) The secure and timely disposal of licensee's data as required by applicable laws and contractual requirements.
(j) An annual internal or external risk assessment is performed on the collection agency's protection of licensee's data from reasonably foreseeable internal or external risks. Based on the results of the annual risk assessment, the collection agency shall make adjustments to its data security policy if warranted.
(k) The licensee can stop the virtual office's connectivity with the network and remotely disable or wipe company issued computers and electronic devices that contain or have access to licensee's information and data when an employee no longer has an employment relationship with the company.
The main disrupter is the training requirements in Washington's Work From Home regulations. According to Underwood, the original proposal was worse. The original proposal did not allow any collection agency to have work-from-home agents. Under this new regulation, for an employee to be eligible to work from home. they need to have 45 days on "in house" (in the physical office) oversight.
This would apply for anyone hired during the pandemic at a collection agency licensed in Washington State. Or, at least, that's the intent. The regulation doesn't make this explicit. Underwood, however, suggests that employees who were employed at least 45 days before the date of Washington's pandemic state of emergency would be considered to have fulfilled the "45 days of oversight" requirement.
This regulation is in effect as of 15 February 2021 -- so if you haven't already established this protocol for your Washington license, it is highly recommended that this task move a little higher up on your priority list. Washington State licensee audits will be paying close attention to these new work from home rules.