On January 6, 2021, it was announced that Ascension Data and Analytics, LLC ("Ascension") settled a lawsuit with the Federal Trade Clinician ("FTC") which claimed that they breached the Gramm-Leach-Bliley Act ("GLBA") Safeguard Rules by failing to properly assure that the security provisions of their third-party service provider to ensure if properly protected consumers identifying financial information. This case serves as a warning to all companies using third party vendors.
The Gramm-Leach-Bliley Act
The GLBA governs a wide range of financial institutions including lenders, banks, financial advisors, and others. Under the GLBA, covered entities must implement and maintain a comprehensive written information security policy in accordance with the size, scope, complexity and nature of personal data collected. So the more sensitive the personal data the more rigorous the policy must be.
If a company covered by GLBA chooses to work with a document processing center , it must ensure that the third-party vendor is also compliant.
The Safeguard Rule Violations
The FTC's complaint against Ascension alleges that Ascension hired a document processing center to process tens of thousands of mortgage documents for approximately 60,000 customers. These mortgage documents included identifying financial information such as Social Security numbers, driver's license numbers, names, loan information, and bank account information.
The complaint alleges that Ascension did not properly review the document processing center's security provisions and as a result, the sensitive information was accessible to unauthorized users for approximately one year. This exposure was a violation of the GBLA’s Safeguard Rules which provide that financial institutions must provide the private financial data they collect.
The settlement that Ascension has reached with the FTC requires Ascension to implement and maintain a comprehensive data security program overseen by designated employees, provide an annual certification from an executive officer attesting compliance with the FTC order, and undergo a security audit every two years.
Three Steps to Avoid Safeguard Rule Violations
In order to avoid these pitfalls your business should:
- Ensure you have written security protocols
- Regularly review and update said protocols, and
- Ensure that third-parties you may work with are also compliant with GLBA.