The FTC recently announced a proposed settlement with a mortgage analytics company over allegations that the company violated the Safeguards Rule when it failed to ensure that one of its vendors was adequately securing the personal data of mortgage holders.
According to the FTC’s complaint, the company hired a vendor to perform text recognition scanning on mortgage documents containing sensitive consumer data but failed to vet the vendor’s security measures before doing so. The vendor later allegedly failed to safeguard this information while storing it in a cloud-based server, which was misconfigured, leaving the information exposed online to the public for an extended period of time. During this period, the FTC alleges, the exposed consumer data was accessed by approximately 52 unauthorized IP addresses.
The FTC claims that the company failed to take reasonable steps to select vendors capable of appropriately safeguarding consumer data despite maintaining a vendor risk management policy containing due diligence procedures for vendor selection. The FTC also alleges that the company failed to identify the security risks to consumer data and assess the sufficiency of any safeguards in place to control those risks, all in violation of the Safeguards Rule.
Under the terms of the proposed settlement, the company will be required to maintain a comprehensive data security program and obtain data security assessments by a third party. Additionally, the proposed settlement requires the company to maintain certain records and submit regular compliance reports to the FTC. In agreeing to the proposed settlement, the company neither admits nor denies any of the allegations in the complaint, except for jurisdictional purposes.