On December 15th, the FTC announced in a press release that it had reached a settlement with a mortgage industry data analytics company to resolve allegations in the FTC’s administrative complaint that the company had failed to ensure one of its vendors was adequately securing personal data about tens of thousands of mortgage holders under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. In the press release, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, stated that “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk.”
According to the FTC, Ascension Data & Analytics, LLC (Ascension) used a vendor, OpticsML, to perform text recognition scanning on mortgage documents and to store the contents of the documents on a cloud-based server in plain text. The FTC alleged in its complaint that the vendor did so without any protections to block unauthorized access, such as requiring a password or encrypting the information. The lack of such protections resulted in the FTC charging Ascension with violating the GLBA Safeguards Rule by failing to adequately vet OpticsML and other vendors; failing to enter into contracts with vendors requiring them to safeguard the information; and failing to conduct risk assessments of all of its third-party vendors. The FTC also alleged that Ascension created a written “Third Party Vendor Risk Management,” but did not follow through to ensure policies outlined in the document were actually implemented.
The proposed settlement agreement requires Ascension to implement a data security program, undergo biennial assessments of the effectiveness of its data security program by an independent organization subject to FTC approval, have a senior company executive certify annually that the company is complying with the terms of the settlement, and report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies.