FTC Eyes Vendor Oversight in Safeguards Rule SettlementOn December 15, 2020, the FTC announced a proposed settlement with Ascension Data & Analytics, LLC, a mortgage industry analytics company, related to alleged violations of the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. In particular, the FTC claimed that Ascension Data & Analytics’ vendor, OpticsML, left “tens of thousands of consumers[’]” sensitive personal information exposed “to anyone on the internet for a year” due to an error configuring the server and the storage location. The FTC contended that Ascension Data & Analytics failed to properly oversee OpticsML. The FTC voted 3-1-1 to issue the administrative complaint and to accept the consent agreement, with the full consent agreement package to be published soon in the Federal Register for the 30-day comment period.

As detailed in the FTC’s complaint, Ascension Data & Analytics contracted with OpticsML to OCR mortgage documents. OpticsML stored the information on a cloud-based server and in a separate cloud-based storage location. Due to a configuration issue, the database was publicly exposed, meaning anyone could access the personal information without the need for credentials. Although Ascension Data & Analytics required vetting security measures of its vendors in its “Third Party Vendor Risk Management” policy, which was in place since September 2016, the FTC claimed that Ascension Data & Analytics never vetted OpticsML. Additionally, the FTC asserted that since at least September 2016, Ascension Data & Analytics never required its service providers to implement privacy measures to protect personal information.

The proposed settlement contains multiple action items for Ascension Data & Analytics to complete. Ascension Data & Analytics must establish and implement a data security program, engage an independent third-party professional to assess the procedures on an initial and biennial basis, and certify annually to the FTC its compliance with the settlement. As part of the mandated data security program, Ascension must not only conduct initial due diligence on any vendor with access to consumer data, but it must also conduct an annual written assessment of each vendor “commensurate with the risk it poses to the security of” personal information.

Takeaways

There are three big takeaways from the complaint and settlement.

  • First, the FTC is ramping up enforcement of the Safeguards Rule. This is not much of a surprise given the FTC’s focus on the Safeguards Rule, as evidenced by the virtual workshop it hosted this summer to discuss the proposed changes to the rule.
  • Second, the FTC appears to see vendor oversight as a key component of implementation of the Safeguards Rule. While other agencies, such as the CFPB, have indicated a specific interest in vendor oversight, this is now on the FTC’s radar.
  • Finally, this settlement underscores that regulated entities need to actively operationalize written policies and procedures, particularly around third-party risk. Financial institutions should ensure that they are in compliance with the Safeguards Rule generally and also engage in initial due diligence and continuous oversight of their vendors in order to avoid enforcement based on their vendors’ conduct.

Continue to look for further updates and alerts from Bradley relating to privacy rights and obligations.

Print:
EmailTweetLikeLinkedIn
Photo of Brian R. Epling Brian R. Epling

Brian Epling assists financial services clients, including small dollar lenders, auto finance companies, and mortgage servicers, with navigating regulatory compliance and litigation issues.

On the regulatory compliance side, Brian has assisted financial services clients with policies and procedures to comply with state and…

Brian Epling assists financial services clients, including small dollar lenders, auto finance companies, and mortgage servicers, with navigating regulatory compliance and litigation issues.

On the regulatory compliance side, Brian has assisted financial services clients with policies and procedures to comply with state and federal law and investor requirements. With respect to litigation, practicing in both Tennessee and Kentucky, Brian has successfully argued dispositive motions and appeals involving alleged violations of the Truth in Lending Act, Real Estate Procedures Act, and Fair Debt Collection Practices Act. Additionally, he has represented auto finance companies in administrative matters against the state. View articles by Brian.

Photo of Christopher K. Friedman Christopher K. Friedman

Chris Friedman is a regulatory compliance attorney and litigator who focuses on helping consumer finance companies and small business lenders, as well as banks, fintech companies, and other participants in the financial services industry, address the challenges of operating in a highly regulated…

Chris Friedman is a regulatory compliance attorney and litigator who focuses on helping consumer finance companies and small business lenders, as well as banks, fintech companies, and other participants in the financial services industry, address the challenges of operating in a highly regulated sector. Chris focuses on both small business lenders and alternative business finance products and has helped merchant cash advance companies, non-bank small business lenders, banks who make small business loans, commercial credit counselors, lead generators, and others in the industry. He helps clients launch new products, conduct due diligence, engage in compliance reviews, evaluate litigation risk, and solve some of the unique legal problems faced by companies who work with small businesses. In that vein, Chris has written extensively about the upcoming rulemaking related to Dodd-Frank 1071, which will require data collection and reporting by companies making loans to certain small businesses. View articles by Chris.

Photo of Steve Snyder Steve Snyder

Steve Snyder combines his engineering education and prior industry experience in information technology with 15 years of practicing as an attorney on matters involving complex legal challenges arising from emerging technology for clients across the country and beyond. Steve is also a North…

Steve Snyder combines his engineering education and prior industry experience in information technology with 15 years of practicing as an attorney on matters involving complex legal challenges arising from emerging technology for clients across the country and beyond. Steve is also a North Carolina Board Certified Specialist in Privacy and Data Security Law. Steve is a thought leader in privacy and data security and routinely writes and speaks on CCPA and privacy topics. He advises on all aspects of clients’ privacy and data security programs and regularly works with technical, legal, and business stakeholders to mitigate security and privacy risk. He helps clients implement robust cybersecurity programs and has developed training and educational materials.