The FTC Enforces Against Inadequate Vetting of Third-party Vendors – Lexology

The Federal Trade Commission (FTC) has recently announced a proposed settlement with Ascension Data & Analytics, LLC (Ascension), over the allegation that Ascension failed to ensure one of its vendors was adequately securing consumers data.

According to the FTC, one of Ascensions service providers stored documents containing sensitive information of Ascensions consumers (such as social security numbers) on a cloud-based server in plain text, without any protections from unauthorized access. The FTC further alleged that because of these inadequate protections, the data was repeatedly subject to unauthorized access.

In its complaint, which is based on the Gramm-Leach Bliley Act (GLBA), the FTC alleged that Ascension, a mortgage industry data analytics company, failed to adequately vet its vendors and that its contracts with vendors did not require them to safeguard the information.

The FTC alleged that although Ascension had an internal Third-party Vendor Risk Management policy, it did not comply with it and failed to conduct risk assessments of all of its third-party vendors. The GLBA requires covered entities to maintain comprehensive information security programs. These programs must include overseeing of the entities third-party vendors, by ensuring they are capable of implementing and maintaining appropriate safeguards, and requiring them to do so by contract.

As part of the settlement, Ascension is prohibited from collecting, processing or transferring any sensitive information, prior to the implementation of a comprehensive data security program. This program has to impose at least the same security requirements on the companys vendors. Ascension must also undergo biennial assessments of the programs effectiveness, by an independent assessor, approved by the FTC. Ascension is also required to annually certify, by a senior company executive, that it is complying with the order, and to report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies.

This enforcement action by the FTC joins its recent settlement with Zoom over its information security practices, which we previously reported about. The importance of adequate vetting procedures was also emphasized by EU regulators in a number of regulatory developments with regard to international transfers of personal data. For example, as we recently reported, vetting procedures are a part of the European Data Protection Boards recommendations on the measures to supplement data transfer tools.

These recent enforcement and regulatory actions highlight the increased scrutiny over adequate vetting of service providers to whom data is transferred to.

Read the original here:

The FTC Enforces Against Inadequate Vetting of Third-party Vendors - Lexology