Under the GLBA’s Safeguard Rule, financial institutions such as Ascension Data & Analytics LLC must develop, implement and maintain a comprehensive information security program. The Safeguard Rule also requires financial institutions to oversee their third-party vendors and ensuring that third-party vendors are capable of maintaining and implementing safeguards appropriate for the type of personal information collected from customers. These types of measures must also be required in the contracts between financial institutions and third-parties.
In its complaint, the FTC has alleged that Ascension failed to oversee OpticsML. “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”
According to the FTC’s complaint, Ascension hired OpticsML to perform text recognition processing on mortgage documents. OpticsML then stored the data, which included personal information such as names, dates of birth, social security numbers and personal financial information on a cloud-based server and in plain text. The FTC also alleges that OpticsML failed to implement protections to prevent unauthorized access, such as requiring a password to access the data, or encrypting the data.
In the complaint, the FTC alleged that Ascension failed to require OpticsML to safeguard customer’s personal information in their contract. The FTC also alleged that Ascension failed to conduct risk assessments and properly vet OpticsML as well as other third-party vendors. These lacks of safeguards, required by the GLBA, allegedly resulted in the unauthorized access of tens of thousands of mortgage holders’ personal information.
In the proposed settlement, the FTC required Ascension to implement a data security program, as well as requiring Ascension to undergo biannual assessments, evaluating the effectiveness of the data security program. The settlement also requires a senior company executive to certify that the company is complying with the FTC’s order on a yearly basis. Further, under of the terms of the proposed settlement, Ascension must report any future data breaches to the FTC within 10 days of providing notice to federal, state and local government agencies.
The FTC’s proposed settlement further underscores the need for a robust and comprehensive information security program. The FTC’s focus on third-party vendors is in line with past decisions, further signaling that the FTC will continue its enforcement on the implementation of privacy and security safeguards. If you have any questions about your company’s compliance efforts, please contact a member of the Akin Gump Cybersecurity, Privacy and Data Protection team.
