The company, Ascension Data & Analytics, was ordered to:

• Put in place a written data security program.
• Designate a person responsible for managing the data security program.
• Conduct an annual risk assessment.
• Require every vendor in advance of engaging them to:
  • Provide documentation of their information security practices
  • Describe how and where the personal information will be stored and the protections that will be applied to it
  • Assess the risk to the information they receive including an annual vulnerability scanning and penetration test.
• Contractually require vendors to implement and maintain safeguards for personal information.
• Assess the sufficiency of the safeguards annually and after any incident.
• Assess the data security program at least annually and after any incident.
• Present for review initial and biennial data security assessments performed by a third party.
• Provide an annual certification from a senior corporate manager re: compliance with this order.
• Report to the FTC about any data breach incident.

Takeaways

• It's not enough to have a written program that requires vendors to fill out an information security questionnaire if you then don't take steps laid out in your program to evaluate whether the vendor could reasonably protect the personal information.
• It is NOT enough to say in your contract with the vendor that “any nonpublic personal information . . . shall be protected from disclosure with all the provisions of the GLBA."
• You should include provisions that at least require compliance with the Safeguards Rule.
• You should specify in your contract the actual safeguards that service providers must implement, or otherwise require them to take reasonable steps to secure personal information.
• You need to conduct a risk assessment for all your vendors.

Read the Complaint.