Mortgage Analytics Company and FTC Agree to Settlement on Allegations Related to Third-Party Vendor Data Breach

Balch & Bingham LLP
Contact

Ascension Data & Analytics LLC, a data analytics company for the mortgage industry, has entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following allegations that it violated the Gramm-Leach-Bliley Act’s (GLB) Safeguards Rule by failing to ensure that a third-party vendor was adequately securing data of mortgage holders. The FTC complaint states that Ascension contracted with the third-party vendor, OpticsML, to scan and store mortgage documents containing sensitive financial information of thousands of mortgage holders. OpticsML stored these documents on a cloud-based server and in a separate cloud-based storage location but failed to protect or encrypt the server and storage locations, which left them unprotected on the internet from January 2018 to January 2019. As a result, approximately 52 unauthorized IP addresses accessed them with most of the IP addresses coming from computers outside of the United States, including addresses from Russia and China.

The FTC complaint concludes that Ascension violated Section 501(b) of the GLB Act (or the Safeguards Rule) which  requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program. The Safeguards Rule also requires financial institutions to oversee their third-party vendors and ensure that third-party vendors are capable of maintaining and implementing safeguards appropriate for the type of personal information collected from customers. The Safeguards Rule requires these types of measures to be in the contracts between the financial institutions and third-party vendors. The FTC complaint alleges that Ascension failed to take any formal steps to evaluate whether OpticsML could reasonably protect the personal information in the mortgage documents and failed to contractually require OpticsML to implement adequate safeguards.

FTC and Ascension have now entered into a proposed settlement agreement to resolve these allegations. The settlement agreement requires Ascension to implement a comprehensive data security program, conduct biennial assessments of the effectiveness of the data security program, and provide yearly certifications to the FTC that Ascension is complying with the FTC’s order. Ascension must also report any future data breaches to the FTC within 10 days of notifying federal or state government agencies.

On December 23, 2020, a description of the proposed settlement agreement was published in the Federal Register. The agreement will be subject to public comment for 30 days, after which the Commission will decide whether to make the proposed agreement final.

To view the FTC Complaint, click here.

To view the Proposed Settlement Agreement, click here.

To view the Federal Register Notice, click here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Balch & Bingham LLP | Attorney Advertising

Written by:

Balch & Bingham LLP
Contact
more
less

Balch & Bingham LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.