Resolve to Enhance Your Company’s Vendor Oversight Practices in 2021
Mortgage Industry Data Analytics Company Settles FTC Allegations that it Failed to Ensure Vendor was Adequately Protecting the Personal Information of Consumers
We tend to start each new year with a list of resolutions and then break one of those resolutions within the first few days. There is one resolution that should be at the top of your company’s “to do” list in 2021 and it is a resolution your company should strive to keep throughout the year and beyond.
The recent revelations of the Russian government’s hack into SolarWinds’ proprietary software network monitoring program, which then allowed the Russian government to infiltrate scores of government and private networks, has captured the headlines. The ever-expanding reach of this recent cyberattack highlights the importance of ensuring that your third-party vendors, whether they provide software or some other product or service for your company, understand the importance of protecting the personal information you provide to them or that they may have access to during the term of the relationship. These vendors need to maintain their own robust and comprehensive data security programs and your company should resolve to ensure they do so.
Case Study: Dropping the Ball on Vendor Oversight
It does not take a nation state actor to cause data security problems for companies. On December 15, 2020, the Federal Trade Commission (FTC) announced a proposed consent order with Texas-based Ascension Data & Analytics, LLC (AD&A), a mortgage industry data analytics company, requiring the company to implement a comprehensive data security program to resolve allegations that the company failed to ensure that one of its vendors adequately protected the confidentiality and security of the personal information of tens of thousands of mortgage holders.
In its complaint, the FTC alleged that AD&A violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule), which requires financial institutions to develop, implement, and maintain a comprehensive information security program. As part of such a program, financial institutions must do the following: (1) oversee their third-party vendors to ensure they are capable of and actually implement and maintain appropriate safeguards to protect the confidentiality and security of customer information and (2) require their third-party vendors to, by contract, protect the confidentiality and security of customer information. The FTC alleged that AD&A dropped the ball on these key responsibilities.
The FTC alleged that AD&A hired a vendor, OpticsML, in early 2017 to perform optical character recognition on a set of documents tied to 37,000 residential mortgages. These documents contained the personal information of over 60,000 consumers, including their names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, and credit files. From January 2018 to January 2019, the FTC alleged that the vendor inadvertently exposed the personal information from these mortgage documents online by storing the contents of the documents in a cloud-based server in plain text and with no protections in place to prevent unauthorized access. The information could be accessed without a password and was not encrypted so anyone who figured out the web address of the server or storage location could view and download all of this personal information. The FTC indicated that the server and storage location were accessed by fifty-two unauthorized computers during that one-year period.
Before providing the documents to OpticsML, the FTC alleged that AD&A did not conduct any due diligence to ensure that this vendor could protect any of the personal information contained in the documents. In addition, the FTC alleged that AD&A failed to include any provisions in its contract with this vendor requiring the vendor to protect the confidentiality and security of any of the documents or any of the personal information contained in the documents.
Resolution: Enter the Regulator
The proposed settlement requires AD&A to establish, implement, and maintain a data security program in compliance with the Safeguards Rule and to undergo an initial independent assessment of the effectiveness of its data security program and then biennial independent assessments for the next 10 years. It also requires a senior executive of the company to annually certify that the company is complying with the order and requires the company to report any future data breaches to the FTC within 10 days of notification to any other federal or state government agencies. The proposed order does not require AD&A to provide compensation to any consumer impacted in the data breach at the vendor.
A description of the consent agreement package was published in the Federal Register on December 23, 2020. The agreement is open to public comment through January 22, 2021. After that date, the FTC will review the comments received and determine whether the proposed consent order will become a final order.
Key Takeaways: Focus on the Basics
The Safeguards Rule is not new. It was effective on May 23, 2003. Even after all this time and the continuing news reports of data breaches tied to lapses at third-party vendors, some companies still struggle with identifying the full range of risks they face in maintaining the personal information of consumers and in assessing whether proper safeguards are in place to protect the confidentiality and security of that information, both in their own operations and when using third-party vendors. Similar third-party vendor management and data security requirements are imposed under other federal and state statutes and regulations so even if your company is not in the financial services industry, the protection of personal information in vendor relationships remains an imperative in 2021.
The proposed consent order is a good reminder that the basics still matter, regardless of the industry your company is in. The FTC alleged that AD&A dropped the ball in 3 key areas:
- Failed to conduct any initial due diligence of third-party vendors;
- Failed to include provisions in its contracts requiring vendors to protect personal information; and
- Failed to conduct risk assessments of vendors.
The first and third areas above highlight the need for companies to maintain a robust program to ensure that new vendors are vetted before onboarding and that periodic risk assessments are completed during the term of the vendor relationship. The second area above highlights the importance of ensuring that data security expectations are memorialized in every written agreement with a vendor. The revelations in this proposed consent order should serve to remind every company to resolve to maintain a robust third-party vendor management program in 2021 and beyond.