The FTC publicizes the enforcement of insufficient third occasion danger administration practices in accordance with the GLBA’s safety rule
On December 15, 2020, the Federal Trade Commission announced a settlement with Ascension Data & Analytics, LLC, a Texas-based mortgage data analytics company (“Ascension”), to clarify allegations that the company failed to secure one of its providers adequately secured the personal data of the mortgage holders. The FTC claimed that Ascension provider OpticsML stored documents containing information such as names, social security numbers, and credit information affecting tens of thousands of mortgage holders in plain text on a cloud-based server in unprotected form to block unauthorized access. The FTC also claimed that the cloud-based server had been exposed to unauthorized access dozens of times due to inadequate protection.
In its complaint, the FTC alleged that Ascension had violated the Gramm-Leach Bliley Act (“GLBA”) by failing to develop, implement, and maintain a comprehensive information security program as required by the GLBA’s protection rule. As part of such a program, financial institutions must review and oversee providers to ensure that they are able to implement and maintain adequate security for customer information, and also include information security requirements in provider contracts.
According to the proposed comparison, Ascension must implement a comprehensive information security program. In addition to implementing an information security program, the proposed settlement requires that Ascension conduct an assessment of the effectiveness of its information security program every two years by an independent organization that the FTC has the authority to approve. The proposed settlement also requires a senior executive to certify annually that the company is complying with the mandate and finding no material violations. Ascension must also report future data breaches to the FTC within 10 days of notifying other federal or state agencies.
Andrew Smith, Director of the FTC Consumer Protection Bureau stated: “[o]The overview of providers is an important part of a comprehensive data security program, especially where these providers can compromise sensitive consumer data. “
Read the proposed settlement.