FTC: You Are Only As Good As Your Weakest Service Provider

Fox Rothschild LLP

Fox Rothschild LLP

The Federal Trade Commission (FTC) recently entered into an enforcement action with an analytics company for breaching the FTC's Safeguards Rule issued pursuant to the Gramm-Leach-Bliley Act (GLBA) by failing to properly vet a third-party vendor it engaged. The vendor stored personal information in cleartext in an unprotected cloud-based location that could be accessed by anyone with the relevant URL. The information was exposed for a year and was accessed by 52 unauthorized IP addresses.

The company, Ascension Data & Analytics, was ordered to:

  • Put in place a written data security program.
  • Designate a person responsible for managing the data security program.
  • Conduct an annual risk assessment.
  • Require every vendor in advance of engaging them to:
    • Provide documentation of their information security practices
    • Describe how and where the personal information will be stored and the protections that will be applied to it
    • Assess the risk to the information they receive including an annual vulnerability scanning and penetration test.
  • Contractually require vendors to implement and maintain safeguards for personal information.
  • Assess the sufficiency of the safeguards annually and after any incident.
  • Assess the data security program at least annually and after any incident.
  • Present for review initial and biennial data security assessments performed by a third party.
  • Provide an annual certification from a senior corporate manager re: compliance with this order.
  • Report to the FTC about any data breach incident.


  • It's not enough to have a written program that requires vendors to fill out an information security questionnaire if you then don't take steps laid out in your program to evaluate whether the vendor could reasonably protect the personal information.
  • It is NOT enough to say in your contract with the vendor that “any nonpublic personal information . . . shall be protected from disclosure with all the provisions of the GLBA."
  • You should include provisions that at least require compliance with the Safeguards Rule.
  • You should specify in your contract the actual safeguards that service providers must implement, or otherwise require them to take reasonable steps to secure personal information.
  • You need to conduct a risk assessment for all your vendors.

Read the Complaint.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.