FTC Announces Enforcement for Inadequate Third Party Risk Management Practices Under the GLBA’s Safeguards Rule
Friday, December 25, 2020
FTC Announces Enforcement for Inadequate Third Party Risk Management Practices Under the GLBA’s Safeguards Rule
Print Mail Download i

On December 15, 2020, the Federal Trade Commission announced a proposed settlement with Ascension Data & Analytics, LLC, a Texas-based mortgage industry data analytics company (“Ascension”), to resolve allegations that the company failed to ensure one of its vendors was adequately securing personal information of mortgage holders. The FTC alleged that Ascension’s vendor, OpticsML, stored documents with information, such as names, Social Security numbers and loan information, pertaining to tens of thousands of mortgage holders on a cloud-based server in plain text without any protections to block unauthorized access. The FTC further alleged that, as a result of the inadequate protections, the cloud-based server was subject to unauthorized access dozens of times.

In its complaint, the FTC alleged that Ascension violated the Gramm-Leach Bliley Act (“GLBA”) by failing to develop, implement and maintain a comprehensive information security program, as required under the GLBA’s Safeguards Rule. As part of such a program, financial institutions must vet and oversee vendors to ensure they are capable of implementing and maintaining appropriate security for customer information, in addition to including information security requirements in vendor contracts.

Pursuant to the proposed settlement, Ascension is required to implement a comprehensive information security program. In addition to implementing an information security program, the proposed settlement also requires Ascension to undergo biennial assessments of the effectiveness of its information security program by an independent organization, which the FTC has authority to approve. The proposed settlement also requires a senior manager to certify annually that the company is complying with the order and is not aware of any material noncompliance. Ascension must also report any future data breaches to the FTC within 10 days of notifying any other federal or state government agencies.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, stated that “[o]versight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk.”

Read the proposed settlement.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Public Notices

Current Legal Analysis

More from Hunton Andrews Kurth

The Unwitting “Employer”: Individuals Who May Be Liable for FLSA Violations
by: Juan C. Enjamio , Theanna Bezney
SEC Charges R.R. Donnelley for Ransomware Attack Response
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Minnesota Enacts Comprehensive State Privacy Law
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Court Green Lights Next Season of House of Cards Coverage Suit
by: Cary D. Steklof , Adriana A. Perez
Governor Newsom Announces Tentative Legislative Deal To Reform PAGA
by: Kirk A. Hornbeck
NIST Generative AI Profile Highlights Actions for Addressing Data Protection Risks Associated with Generative AI
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Should Artificial Intelligence Supply Plain Meaning? The 11th Circuit Wants to Know
by: Michael S. Levine , Alex D. Pappas
Standing Room Only: US Supreme Court Ruling Clarifies Insurers’ Rights in Chapter 11 Proceedings
by: Geoffrey B. Fehling , Philip M. Guffy
The Hunton Policyholder’s Guide to Artificial Intelligence: SEC’s Recent AI-Washing Claims Present D&O Risks, Potential Coverage Challenges
by: Geoffrey B. Fehling , Michael S. Levine
D.C. Circuit Overturns NLRB’s Wrongful Termination Finding Regarding Union Organizer
by: Amber M. Rogers , Keenan Judge

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins