Your Vendor’s Keeper: FTC Holds Company Responsible for Its Vendor’s Data Security Lapses

  • The FTC reached a settlement with data analytics company Ascension Data & Analytics, LLC (“Ascension”) to resolve allegations that it failed to properly oversee a vendor’s handling of sensitive consumer information in violation of the Gramm-Leach Bliley Act’s implementing rule, the Standards for Safeguarding Customer Information Rule.
  • According to the complaint, an Ascension-hired vendor performed text recognition scanning on tens of thousands of mortgage documents that contained sensitive personal data, including social security numbers, birth dates, and credit files, and then stored the scans on a cloud server in plain text and without any security measures to prevent unauthorized access. The complaint also alleges that the server with this data was accessed multiple times, including by computers with IP addresses associated with Russia and China.
  • Under the terms of the proposed consent order, among other things, Ascension agreed to implement a comprehensive data security program, including requiring each vendor to provide information on its data security programs and taking measures to assess the cybersecurity risk to sensitive information shared by Ascension with each vendor. Ascension is also required to undergo independent third-party assessments of its data security program and to designate an employee to oversee and be responsible for the data security program.