January 19, 2021

Volume XI, Number 19

Advertisement

January 19, 2021

Subscribe to Latest Legal News and Analysis

January 18, 2021

Subscribe to Latest Legal News and Analysis

Data Analytics Company Settles with FTC Over Alleged Data Security Violations

Third-party service providers are vital to many companies and they handle a wide range of business activities essential for companies to deliver their own offerings. But a company is not adequately protecting consumers if it fails to perform proper due diligence on service providers and contractually require them to employ appropriate security measures to protect sensitive personal information, as Ascension Data & Analytics, LLC (Ascension) discovered. Ascension, a data analytics company serving the mortgage industry, recently settled with the Federal Trade Commission (FTC) over charges that it violated the Gramm-Leach-Bliley (GLB) Act Safeguards Rule, as well as its own policies, when it neglected to vet the data security practices of a service provider and require the vendor to adequately protect personal information of mortgage holders. While the settlement involves a financial institution subject to the GLB Act, it is instructive for all businesses that maintain consumers’ personal information and share it with third parties.

The GLB Act governs a range of business activities by “financial institutions” (a term that is broadly defined to include many types of companies), including lending, stockbroking and investing, banking, insuring, and providing financial advisory services. Under the GLB Act Safeguards Rule, all covered entities must develop, implement, and maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the company and the sensitivity of the personal information collected. In addition, they are required to ensure that third-party service providers can maintain appropriate safeguards to protect consumers’ personal information and are contractually bound to do so.

The FTC’s complaint alleged that Ascension hired a vendor, OpticsML, to process tens of thousands of  mortgage documents that contained personal information of more than 60,000 consumers, including names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, and other financial information. According to the complaint, Ascension failed to review OpticsML’s security practices before providing OpticsML with documents containing sensitive personal information, which OpticsML stored on a cloud-based server without adequate security measures. As a result of such failure, sensitive personal information was accessible by unauthorized persons for about one year.

The proposed settlement requires Ascension to establish, implement, and maintain a comprehensive data security program overseen by a designated employee, undergo biennial security assessments by an independent entity, and provide an annual certification by a senior executive that the company is complying with the FTC’s order. The settlement serves as a reminder for businesses in all industries, and not just financial institutions, of the importance of (1) implementing and maintaining written security programs, (2) regularly reviewing the procedures and ensuring that appropriate personnel are aware of the requirements, and (3) ensuring that service providers have appropriate security programs and measures in place before sharing personal information with them. All businesses should keep abreast of the rapidly developing privacy and data security landscape and their obligations under federal and state laws.

Advertisement
© 2020 Keller and Heckman LLPNational Law Review, Volume XI, Number 6
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

202-434-4234
Advertisement
Advertisement