The Federal Trade Commission (FTC) announced that Ascension Data & Analytics agreed to settle its complaint alleging that the firm failed to ensure that its vendors have adequate consumer data protection.
Ascension Data & Analytics is based in Texas. Its business is focused on providing data analytics to the mortgage industry.
Under the proposed settlement, Ascension Data & Analytics agreed to undergo biennial assessments of the effectiveness of its data security program by an independent organization.
The mortgage industry data analytics provider also agreed to require its senior executive to certify every year that it is complying with the order. It also agreed to report to the FTC any future data breaches within 10 days of notifying other federal or state government agencies.
Allegations against Ascension Data & Analytics
In its complaint, the FTC alleged that the mortgage industry data analytics firm violated the Gramm-Leach Bliley Act’s Safeguards Rule.
Ascension Data & Analytics allegedly failed to follow the Rules’ requirement or financial institutions, which is to develop, implement, and maintain a comprehensive information security program.
Additionally, the FTC alleged that the mortgage industry data analytics firm failed to supervise its third-party vendor and make sure it is capable of implementing and maintaining appropriate safeguards for customer information.
That vendor is OpticsML, which is responsible for securing the personal data of tens of thousands of mortgage holders.
Ascension Data & Analytics hired Optics ML to perform text recognition scanning on mortgage documents and save the contents of the documents on a cloud-based server in plain text without any protections to block unauthorized access, such as requiring a password or encrypting the information.
The documents contained sensitive information about mortgage holders and others including their names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, or credit files. As a result of the inadequate security, the cloud-based server containing the mortgage data was accessed dozens of times, according to the complaint.
Ascension Data & Analytics failed to conduct risk assessments of all of its third-party vendors, as required under the Safeguards Rule, the FTC alleged.
In a statement, FTC Bureau of Consumer Protection Director Andrew Smith said, “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk. If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”
Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.
Want to contribute a story? We also accept article submissions – check out our writer’s guidelines here.