January 21, 2022

Volume XII, Number 21

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis

January 19, 2022

Subscribe to Latest Legal News and Analysis

January 18, 2022

Subscribe to Latest Legal News and Analysis

FTC Settles Over Alleged Failure to Manage Service Providers

The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China.  Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:

  • Ascension did not take steps to actually assess third parties’ security capabilities, even though it did have a policy in place requiring such due diligence.

  • Ascension failed to contractually require its service providers to implement specific safeguards. Instead contract stated only that nonpublic personal information be protected as required under GLBA and not disclosed without consent.

  • Ascension did not adequately assess risk, insofar as it only did risk assessments for a small subset of third parties (which did not include OpticsML).

Ascension has agreed to implement a comprehensive data security program and obtain initial and biennial assessments of its data security program for ten years. It has also agreed to annually certify to the FTC as well as to report any security incidents to the FTC.

Putting it Into Practice: This settlement is a reminder that the FTC expects companies to take steps to ensure their third party providers secure personal information. Measures include specific contractual terms and conducting appropriate due diligence.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 7
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Elfin Noce Business Trial Attorney
Associate

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.

Practices

  • Litigation

Industries

  • Communications

Education

  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000

Admissions

  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

202.747.2196
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement