On December 15, 2020, the Federal Trade Commission announced a proposed settlement with Ascension Data & Analytics, LLC, a Texas-based mortgage industry data analytics company (“Ascension”), to resolve allegations that the company failed to ensure one of its vendors was adequately securing personal information of mortgage holders. The FTC alleged that Ascension’s vendor, OpticsML, stored documents with information, such as names, Social Security numbers and loan information, pertaining to tens of thousands of mortgage holders on a cloud-based server in plain text without any protections to block unauthorized access. The FTC further alleged that, as a result of the inadequate protections, the cloud-based server was subject to unauthorized access dozens of times.
In its complaint, the FTC alleged that Ascension violated the Gramm-Leach Bliley Act (“GLBA”) by failing to develop, implement and maintain a comprehensive information security program, as required under the GLBA’s Safeguards Rule. As part of such a program, financial institutions must vet and oversee vendors to ensure they are capable of implementing and maintaining appropriate security for customer information, in addition to including information security requirements in vendor contracts.
Pursuant to the proposed settlement, Ascension is required to implement a comprehensive information security program. In addition to implementing an information security program, the proposed settlement also requires Ascension to undergo biennial assessments of the effectiveness of its information security program by an independent organization, which the FTC has authority to approve. The proposed settlement also requires a senior manager to certify annually that the company is complying with the order and is not aware of any material noncompliance. Ascension must also report any future data breaches to the FTC within 10 days of notifying any other federal or state government agencies.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, stated that “[o]versight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk.”
Read the proposed settlement.