Third-party service providers are vital to many companies and they handle a wide range of business activities essential for companies to deliver their own offerings. But a company is not adequately protecting consumers if it fails to perform proper due diligence on service providers and contractually require them to employ appropriate security measures to protect sensitive personal information, as Ascension Data & Analytics, LLC (Ascension) discovered. Ascension, a data analytics company serving the mortgage industry, recently settled with the Federal Trade Commission (FTC) over charges that it violated the Gramm-Leach-Bliley (GLB) Act Safeguards Rule, as well as its own policies, when it neglected to vet the data security practices of a service provider and require the vendor to adequately protect personal information of mortgage holders. While the settlement involves a financial institution subject to the GLB Act, it is instructive for all businesses that maintain consumers’ personal information and share it with third parties.
The GLB Act governs a range of business activities by “financial institutions” (a term that is broadly defined to include many types of companies), including lending, stockbroking and investing, banking, insuring, and providing financial advisory services. Under the GLB Act Safeguards Rule, all covered entities must develop, implement, and maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the company and the sensitivity of the personal information collected. In addition, they are required to ensure that third-party service providers can maintain appropriate safeguards to protect consumers’ personal information and are contractually bound to do so.
The FTC’s complaint alleged that Ascension hired a vendor, OpticsML, to process tens of thousands of mortgage documents that contained personal information of more than 60,000 consumers, including names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, and other financial information. According to the complaint, Ascension failed to review OpticsML’s security practices before providing OpticsML with documents containing sensitive personal information, which OpticsML stored on a cloud-based server without adequate security measures. As a result of such failure, sensitive personal information was accessible by unauthorized persons for about one year.
The proposed settlement requires Ascension to establish, implement, and maintain a comprehensive data security program overseen by a designated employee, undergo biennial security assessments by an independent entity, and provide an annual certification by a senior executive that the company is complying with the FTC’s order. The settlement serves as a reminder for businesses in all industries, and not just financial institutions, of the importance of (1) implementing and maintaining written security programs, (2) regularly reviewing the procedures and ensuring that appropriate personnel are aware of the requirements, and (3) ensuring that service providers have appropriate security programs and measures in place before sharing personal information with them. All businesses should keep abreast of the rapidly developing privacy and data security landscape and their obligations under federal and state laws.