The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China. Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:
- Ascension did not take steps to actually assess third parties’ security capabilities, even though it did have a policy in place requiring such due diligence.
- Ascension failed to contractually require its service providers to implement specific safeguards. Instead contract stated only that nonpublic personal information be protected as required under GLBA and not disclosed without consent.
- Ascension did not adequately assess risk, insofar as it only did risk assessments for a small subset of third parties (which did not include OpticsML).
Ascension has agreed to implement a comprehensive data security program and obtain initial and biennial assessments of its data security program for ten years. It has also agreed to annually certify to the FTC as well as to report any security incidents to the FTC.
Putting it Into Practice: This settlement is a reminder that the FTC expects companies to take steps to ensure their third party providers secure personal information. Measures include specific contractual terms and conducting appropriate due diligence.