FTC Settles Over Alleged Failure to Manage Service Providers

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China. Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:

  • Ascension did not take steps to actually assess third parties’ security capabilities, even though it did have a policy in place requiring such due diligence.
  • Ascension failed to contractually require its service providers to implement specific safeguards. Instead contract stated only that nonpublic personal information be protected as required under GLBA and not disclosed without consent.
  • Ascension did not adequately assess risk, insofar as it only did risk assessments for a small subset of third parties (which did not include OpticsML).

Ascension has agreed to implement a comprehensive data security program and obtain initial and biennial assessments of its data security program for ten years. It has also agreed to annually certify to the FTC as well as to report any security incidents to the FTC.

Putting it Into Practice: This settlement is a reminder that the FTC expects companies to take steps to ensure their third party providers secure personal information. Measures include specific contractual terms and conducting appropriate due diligence.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.