The Federal Trade Commission (“FTC”) announced a proposed settlement on December 15, 2020, with a mortgage analytics company that it maintains failed to adequately oversee the data security practices of one of its third-party vendors, as required under the Safeguards Rule of the Gramm-Leach Bliley Act (“GLBA”). This proposed settlement signals a focus on third-party scrutiny that companies should take seriously in the coming year.
The Safeguards Rule and the Proposed Settlement
The Safeguards Rule requires all applicable financial institutions to develop, implement, and maintain a comprehensive information security program. As part of such a program, financial institutions must review and oversee third-party vendors to ensure they are capable of implementing and maintaining appropriate security for customer information, in addition to including appropriate information security requirements in third-party vendor contracts.
The FTC alleged that the mortgage analytics company’s third-party vendor, a company engaged to perform text recognition scanning on mortgage documents, stored the data from the scanned documents - including sensitive data about mortgage holders and others, such as names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, and drivers’ license numbers - on a cloud-based server in plain text, and without any protections to block unauthorized access.
The FTC claimed that the mortgage analytics company violated the Safeguards Rule by failing (i) to adequately review the third-party vendor at issue, as well as other third-party vendors; (ii) to implement information security safeguard requirements in third-party vendor contracts; and (iii) to conduct risk assessments for all of its third-party vendors.
Pursuant to the proposed settlement, the company is required to implement a comprehensive information security program, as well as:
- Assess, and document, at least every twelve (12) months and promptly following a security incident, internal and external threats to the security of GLBA covered information;
- conduct written assessments of each third-party vendor to determine the adequacy of their safeguards at least every twelve (12) months and promptly following a security incident;
- undergo biennial assessments of the effectiveness of its data security program by an independent organization, which the FTC has authority to approve;
- have a senior company executive annually certify the institution is complying with the final FTC order;
- report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies.
In addressing the importance and increased awareness of the Safeguards Rule requirements, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, stated that “[o]versight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk.” Financial institutions should ensure that they are in compliance with the Safeguards Rule generally and also engage in initial due diligence and continuous oversight of their vendors in order to avoid enforcement based on their vendors’ conduct.
This most recent settlement signals three significant considerations for financial institutions subject to FTC oversight and a fourth that is applicable more broadly:
- First, as highlighted in a virtual workshop hosted by the FTC in July to discuss proposed rule changes, it appears that the FTC may be increasing enforcements efforts relating to the Safeguards Rule.
- A potential point of focus for those Safeguards Rule enforcement efforts may be third-party vendor oversight – including both operational awareness of third-party vendor security measures as well implementation of appropriate contracting based on the types of data involved in the transfer.
- Financial institutions need to operationalize written policies and procedures through implementing functional controls, conducting assessments, and ensuring appropriate contracting efforts, particularly around third-party risk.
- Lastly, there is no reason to believe the FTC will confine its scrutiny of vendor relationships solely to financial institutions. While the Safeguards Rule affords a ready basis on which to ground enforcement efforts, the FTC certainly asserts the authority more generally to require reasonable vendor practices as part of its general oversight of companies’ privacy and security representations. Hence, all companies should take care to review their vendor relationships on a regular basis.