Mortgage Analytics Company Settles FTC Allegations It Failed to Ensure Vendor Was Adequately Protecting Consumer Data

A mortgage industry data analytics company will be required to implement a comprehensive data security program as part of a settlement resolving Federal Trade Commission allegations that the firm failed to ensure one of its vendors was adequately securing personal data about tens of thousands of mortgage holders. 

In its complaint, the FTC alleged that Texas-based Ascension Data & Analytics, LLC violated the Gramm-Leach Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. As part of that program, financial institutions must oversee their third-party vendors, by ensuring they are capable of implementing and maintaining appropriate safeguards for customer information, and requiring them to do so by contract. The FTC alleged that Ascension failed to do this.

“Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”

The FTC alleged that a vendor, OpticsML, which Ascension hired to perform text recognition scanning on mortgage documents, stored the contents of the documents on a cloud-based server in plain text, without any protections to block unauthorized access, such as requiring a password or encrypting the information.

The documents contained sensitive information about mortgage holders and others, such as names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, or credit files. As a result of the inadequate security, the cloud-based server containing the mortgage data was accessed dozens of times, according to the complaint.

The FTC alleged that Ascension failed to adequately vet OpticsML and other vendors; that Ascension’s contracts with vendors did not require them to safeguard the information; and that Ascension failed to conduct risk assessments of all of its third-party vendors, as required under the Safeguards Rule. 

In addition to implementing a data security program, the proposed settlement also requires Ascension to undergo biennial assessments of the effectiveness of its data security program by an independent organization, which the FTC has authority to approve. It also requires a senior company executive to certify annually that the company is complying with the order. Other provisions of the proposed settlement include a requirement that Ascension report any future data breaches to the Commission within 10 days of notifying other federal or state government agencies.

The Commission voted 3-1-1 to issue the proposed administrative complaint and to accept the consent agreement with the company. Commissioner Rebecca Kelly Slaughter did not participate. Commissioner Rohit Chopra voted no and issued a dissenting statement. Commissioner Noah Joshua Phillips issued a separate statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.