January 21, 2021

Volume XI, Number 21

Advertisement

January 20, 2021

Subscribe to Latest Legal News and Analysis

January 19, 2021

Subscribe to Latest Legal News and Analysis

Vendor Management Fail: FTC Settles with Mortgage Analytics Company following Vendor Security Issues

An oft-used business management concept is to “hire people smarter than you.”  The concept also applies to hiring vendors – hire vendors that are better than you (especially when it comes to information security).  Texas-based Ascension Data & Analytics LLC (Ascension), a technology and data analytics company used by the mortgage industry, did not utilize that concept in its vendor hiring process, and as a result, recently entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following charges that it violated the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule by failing to ensure that its third-party vendor adequately protected mortgage holder personal information.

The FTC Safeguards Rule requires financial institutions under FTC jurisdiction* to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. According to the FTC complaint against Ascension, when Ascension hired OpticsML as its third-party vendor, Ascension failed to assess OpticsML’s security measures (also in violation of Ascension’s own policies).  Additionally, the FTC alleged that Ascension’s contract with OpticsML failed to adequately require OpticsML to implement appropriate security measures. Finally, the complaint alleged that Ascension failed to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, and assess the sufficiency of any safeguards in place to control those risks in connection with its vendor engagement.

The FTC alleged that as a result of Ascension’s failures, sensitive personal information of tens of thousands of consumers was exposed to anyone on the internet for a year. During the year that the sensitive personal information was unsecured, approximately 52 unauthorized IP addresses accessed servers and storage locations that contained the sensitive information (most of which were associated with computers outside the United States, including addresses from Russia and China). 

The proposed settlement requires Ascension to: 1) implement and maintain a comprehensive data security program with extensive vendor-management requirements; 2) undergo biennial independent assessments of the effectiveness of its data security program, which the FTC has authority to approve; 3) provide annual certifications by an Ascension senior executive that Ascension is complying with the terms of the settlement; and 4) report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies.

In a press release announcing the settlement, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection was quoted, “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk. If you’re a financial company, vendor oversight is not just a good idea, it’s the law.” 

The settlement provides a valuable vendor management lesson to all business – not just those subject to GLBA. Effective vendor risk management is an absolutely critical component in any business’ security program.  A business’ security program is only as strong as its weakest link, so when engaging vendors, businesses should ‘hire better’ - and manage appropriately - to ensure that their vendors are not that weak link.  

Advertisement
©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 11
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Christopher Buontempo Corporate Lawyer Mintz
Associate

Chris is a corporate attorney and a Certified Information Privacy Professional (CIPP). He has significant experience handling legal and business issues relating to technology, data privacy and security, brand protection, contract negotiation, licensing, and product development. 

Chris has held several leadership positions at technology, consumer product, and e-commerce companies. Prior to joining Mintz, he was Director of Legal Affairs and Privacy Officer at The Predictive Index, a high-growth, SaaS-based personnel assessment and technology company with an expansive international...

617-239-8322
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement