In this blog, we give an overview of a recent violation of third-party vendor requirements for financial institutions. In this blog, we summarize a recent FTC press release and the negative outcomes that occur when your organization doesn’t meet security requirements.
Gramm-Leach-Biley Act (GLBA) Safeguards Rule
To maintain integrity, security, and confidentiality, the Federal Trade Commission requires all financial institutions in the U.S. companies to abide by the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. This rule maintains that financial institutions under the FTC jurisdiction must protect customer information by developing, implementing, and maintaining a comprehensive information security program.
As stated by Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk.”
In December, the FTC released a press release stating that Ascension Data & Analytics, LLC had violated the GLBA Safeguards Rule. The company failed to vet a third-party vendor to the standards required of the GLBA Safeguards Rule. Per the GLBA Safeguards Rule, financial institutions must oversee their third-party vendors to ensure that these vendors can implement and maintain appropriate safeguards for customer information. This is so crucial that it is required to be written into the vendor contract.
How the GLBA Safeguards Rule was Violated
Ascension hired the third-party vendor, OpticsML, to perform text recognition scanning on mortgage documents. The FTC alleges that by when they failed to ensure the security of OpticsML, Ascension allowed them to store the contents of mortgage documents on a cloud-based server in plain text. This left the Personally Identifiable Information (PII) like SSN, Driver’s License Numbers, DOB, loan information, and other sensitive information vulnerable to unauthorized access. Because of the inadequate security of the information, the cloud-based server housing the sensitive information was accessed dozens of times, according to the FTC complaint. In addition to not securing the information, the FTC alleges that Ascension to not include the necessary security requirements for these third-party contracts.
The Commission issued the proposed administrative complaint and accepted the consent agreement with Ascension. Under this agreement, the company will be required to undergo biennial assessments of the effectiveness of its data security program by an independent organization that the FTC has the authority to approve. Ascension will also have to report any future data breaches to the FTC within ten days of notifying other federal or state government agencies. As a result of the alleged failure to comply, Ascension will now be required to implement a comprehensive data security program as part of a settlement. Finally, a senior company executive will also be required to annually certify that the company is complying with the order.
Getting Started with TPRM
Ensuring the security of your third-party vendors is not optional. However, getting started with a TPRM strategy is no easy task. Check out our Guide to Create a Third-Party Risk Management Program to help you get started. MindPoint Group also offers TPRM and GRC services to help guide you through the complexities of compliance.