Ascension Data & Analytics LLC, a data analytics company for the mortgage industry, has entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following allegations that it violated the Gramm-Leach-Bliley Act’s (GLB) Safeguards Rule by failing to ensure that a third-party vendor was adequately securing data of mortgage holders. The FTC complaint states that Ascension contracted with the third-party vendor, OpticsML, to scan and store mortgage documents containing sensitive financial information of thousands of mortgage holders. OpticsML stored these documents on a cloud-based server and in a separate cloud-based storage location but failed to protect or encrypt the server and storage locations, which left them unprotected on the internet from January 2018 to January 2019. As a result, approximately 52 unauthorized IP addresses accessed them with most of the IP addresses coming from computers outside of the United States, including addresses from Russia and China.
The FTC complaint concludes that Ascension violated Section 501(b) of the GLB Act (or the Safeguards Rule) which requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program. The Safeguards Rule also requires financial institutions to oversee their third-party vendors and ensure that third-party vendors are capable of maintaining and implementing safeguards appropriate for the type of personal information collected from customers. The Safeguards Rule requires these types of measures to be in the contracts between the financial institutions and third-party vendors. The FTC complaint alleges that Ascension failed to take any formal steps to evaluate whether OpticsML could reasonably protect the personal information in the mortgage documents and failed to contractually require OpticsML to implement adequate safeguards.
FTC and Ascension have now entered into a proposed settlement agreement to resolve these allegations. The settlement agreement requires Ascension to implement a comprehensive data security program, conduct biennial assessments of the effectiveness of the data security program, and provide yearly certifications to the FTC that Ascension is complying with the FTC’s order. Ascension must also report any future data breaches to the FTC within 10 days of notifying federal or state government agencies.
On December 23, 2020, a description of the proposed settlement agreement was published in the Federal Register. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make the proposed agreement final.