FTC Eyes Vendor Oversight in Safeguards Rule SettlementOn December 15, 2020, the FTC announced a proposed settlement with Ascension Data & Analytics, LLC, a mortgage industry analytics company, related to alleged violations of the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. In particular, the FTC claimed that Ascension Data & Analytics’ vendor, OpticsML, left “tens of thousands of consumers[’]” sensitive personal information exposed “to anyone on the internet for a year” due to an error configuring the server and the storage location. The FTC contended that Ascension Data & Analytics failed to properly oversee OpticsML. The FTC voted 3-1-1 to issue the administrative complaint and to accept the consent agreement, with the full consent agreement package to be published soon in the Federal Register for the 30-day comment period.

As detailed in the FTC’s complaint, Ascension Data & Analytics contracted with OpticsML to OCR mortgage documents. OpticsML stored the information on a cloud-based server and in a separate cloud-based storage location. Due to a configuration issue, the database was publicly exposed, meaning anyone could access the personal information without the need for credentials. Although Ascension Data & Analytics required vetting security measures of its vendors in its “Third Party Vendor Risk Management” policy, which was in place since September 2016, the FTC claimed that Ascension Data & Analytics never vetted OpticsML. Additionally, the FTC asserted that since at least September 2016, Ascension Data & Analytics never required its service providers to implement privacy measures to protect personal information.

The proposed settlement contains multiple action items for Ascension Data & Analytics to complete. Ascension Data & Analytics must establish and implement a data security program, engage an independent third-party professional to assess the procedures on an initial and biennial basis, and certify annually to the FTC its compliance with the settlement. As part of the mandated data security program, Ascension must not only conduct initial due diligence on any vendor with access to consumer data, but it must also conduct an annual written assessment of each vendor “commensurate with the risk it poses to the security of” personal information.

Takeaways

There are three big takeaways from the complaint and settlement.

  • First, the FTC is ramping up enforcement of the Safeguards Rule. This is not much of a surprise given the FTC’s focus on the Safeguards Rule, as evidenced by the virtual workshop it hosted this summer to discuss the proposed changes to the rule.
  • Second, the FTC appears to see vendor oversight as a key component of implementation of the Safeguards Rule. While other agencies, such as the CFPB, have indicated a specific interest in vendor oversight, this is now on the FTC’s radar.
  • Finally, this settlement underscores that regulated entities need to actively operationalize written policies and procedures, particularly around third-party risk. Financial institutions should ensure that they are in compliance with the Safeguards Rule generally and also engage in initial due diligence and continuous oversight of their vendors in order to avoid enforcement based on their vendors’ conduct.

Continue to look for further updates and alerts from Bradley relating to privacy rights and obligations.

Print:
EmailTweetLikeLinkedIn
Photo of Brian R. Epling Brian R. Epling

Brian Epling primarily assists clients with financial services litigation in Kentucky and Tennessee. Prior to joining Bradley, Brian clerked for the Honorable Joseph H. McKinley, Jr., in the U.S. District Court for the Western District of Kentucky, and the Honorable Eugene E. Siler…

Brian Epling primarily assists clients with financial services litigation in Kentucky and Tennessee. Prior to joining Bradley, Brian clerked for the Honorable Joseph H. McKinley, Jr., in the U.S. District Court for the Western District of Kentucky, and the Honorable Eugene E. Siler, Jr., in the U.S. Court of Appeals for the Sixth Circuit. Because of his prior experience, Brian has not only had the opportunity to work on many issues during critical stages of litigation, but he has also seen how decisions made in the trial court directly impact the outcome of an appeal.

Read More…

Photo of Christopher K. Friedman Christopher K. Friedman

Chris Friedman is a regulatory compliance attorney and litigator who focuses on helping consumer finance companies and small business lenders, as well as banks, fintech companies, and other participants in the financial services industry, address the challenges of operating in a highly regulated…

Chris Friedman is a regulatory compliance attorney and litigator who focuses on helping consumer finance companies and small business lenders, as well as banks, fintech companies, and other participants in the financial services industry, address the challenges of operating in a highly regulated sector. Chris focuses on both small business lenders and alternative business finance products and has helped merchant cash advance companies, non-bank small business lenders, banks who make small business loans, commercial credit counselors, lead generators, and others in the industry. He helps clients launch new products, conduct due diligence, engage in compliance reviews, evaluate litigation risk, and solve some of the unique legal problems faced by companies who work with small businesses. In that vein, Chris has written extensively about the upcoming rulemaking related to Dodd-Frank 1071, which will require data collection and reporting by companies making loans to certain small businesses.

Chris has also helped banks, servicers, non-bank lenders, fintech companies, and other participants in the financial services industry handle regulatory and compliance issues as well as litigation related to consumer loans. In particular, he has helped banks and servicers solve legal problems related to loan origination, including issues related to Home Mortgage Disclosure Act (HMDA) reporting, the Truth-in-Lending Act (TILA), the Real Estate Settlement Procedures Act (RESPA), TILA-RESPA Integrated Disclosure Rule (TRID), and the Electronic Funds Transfer Act (EFTA), among other federal and state laws and regulations. Additionally, Chris has helped financial services companies and housing providers address issues related to the Equal Credit Opportunity Act (ECOA), including fair housing and fair lending matters.

Photo of Steve Snyder Steve Snyder

Steve Snyder combines his engineering education and prior industry experience in information technology with 15 years of practicing as an attorney on matters involving complex legal challenges arising from emerging technology for clients across the country and beyond. Steve is also a North…

Steve Snyder combines his engineering education and prior industry experience in information technology with 15 years of practicing as an attorney on matters involving complex legal challenges arising from emerging technology for clients across the country and beyond. Steve is also a North Carolina Board Certified Specialist in Privacy and Data Security Law. Steve is a thought leader in privacy and data security and routinely writes and speaks on CCPA and privacy topics. He advises on all aspects of clients’ privacy and data security programs and regularly works with technical, legal, and business stakeholders to mitigate security and privacy risk. He helps clients implement robust cybersecurity programs and has developed training and educational materials.