On December 15, 2020, the FTC announced a proposed settlement with Ascension Data & Analytics, LLC, a mortgage industry analytics company, related to alleged violations of the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. In particular, the FTC claimed that Ascension Data & Analytics’ vendor, OpticsML, left “tens of thousands of consumers[’]” sensitive personal information exposed “to anyone on the internet for a year” due to an error configuring the server and the storage location. The FTC contended that Ascension Data & Analytics failed to properly oversee OpticsML. The FTC voted 3-1-1 to issue the administrative complaint and to accept the consent agreement, with the full consent agreement package to be published soon in the Federal Register for the 30-day comment period.
As detailed in the FTC’s complaint, Ascension Data & Analytics contracted with OpticsML to OCR mortgage documents. OpticsML stored the information on a cloud-based server and in a separate cloud-based storage location. Due to a configuration issue, the database was publicly exposed, meaning anyone could access the personal information without the need for credentials. Although Ascension Data & Analytics required vetting security measures of its vendors in its “Third Party Vendor Risk Management” policy, which was in place since September 2016, the FTC claimed that Ascension Data & Analytics never vetted OpticsML. Additionally, the FTC asserted that since at least September 2016, Ascension Data & Analytics never required its service providers to implement privacy measures to protect personal information.
The proposed settlement contains multiple action items for Ascension Data & Analytics to complete. Ascension Data & Analytics must establish and implement a data security program, engage an independent third-party professional to assess the procedures on an initial and biennial basis, and certify annually to the FTC its compliance with the settlement. As part of the mandated data security program, Ascension must not only conduct initial due diligence on any vendor with access to consumer data, but it must also conduct an annual written assessment of each vendor “commensurate with the risk it poses to the security of” personal information.
There are three big takeaways from the complaint and settlement.
- First, the FTC is ramping up enforcement of the Safeguards Rule. This is not much of a surprise given the FTC’s focus on the Safeguards Rule, as evidenced by the virtual workshop it hosted this summer to discuss the proposed changes to the rule.
- Second, the FTC appears to see vendor oversight as a key component of implementation of the Safeguards Rule. While other agencies, such as the CFPB, have indicated a specific interest in vendor oversight, this is now on the FTC’s radar.
- Finally, this settlement underscores that regulated entities need to actively operationalize written policies and procedures, particularly around third-party risk. Financial institutions should ensure that they are in compliance with the Safeguards Rule generally and also engage in initial due diligence and continuous oversight of their vendors in order to avoid enforcement based on their vendors’ conduct.
Continue to look for further updates and alerts from Bradley relating to privacy rights and obligations.