FTC Announces Enforcement for Inadequate Third Party Risk Management Practices Under the GLBA’s Safeguards Rule
Hunton Andrews Kurth writes:
On December 15, 2020, the Federal Trade Commission announced a proposed settlement with Ascension Data & Analytics, LLC, a Texas-based mortgage industry data analytics company (“Ascension”), to resolve allegations that the company failed to ensure one of its vendors was adequately securing personal information of mortgage holders. The FTC alleged that Ascension’s vendor, OpticsML, stored documents with information, such as names, Social Security numbers and loan information, pertaining to tens of thousands of mortgage holders on a cloud-based server in plain text without any protections to block unauthorized access. The FTC further alleged that, as a result of the inadequate protections, the cloud-based server was subject to unauthorized access dozens of times.
Read more on Hunton Andrews Kurth.
Enforcement actions under the Gramm-Leach Bliley Act (“GLBA”) Safeguards Rule have been rare, and I am glad to see this one. Given how many cloud storage leaks or misconfigurations researchers find on a daily basis, maybe a settlement like this one — if it gets enough media coverage — may make some companies a bit more diligent about complying with GLBA and checking their vendor’s security? Or maybe it will take half a dozen more such enforcement actions before enforcement begins to make a dent. In any event, kudos to FTC for pursuing this issue.