WASHINGTON—A mortgage industry data analytics firm will be required to bolster its data security protections and oversight of its vendors to ensure third-party providers are also complying with those safeguards, according to the terms of a settlement between the company and the Federal Trade Commission.
In a complaint first announced in December 2020, the FTC alleged that Texas-based Ascension Data & Analytics, LLC had failed to fulfill provisions of the Gramm-Leach Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information.
The FTC further alleged a vendor Ascension hired to perform text recognition scanning on mortgage documents stored the contents of the documents—which included names, dates of birth, Social Security numbers and other personal information—on a cloud-based server in plain text, without any protections to block unauthorized access, such as requiring a password. As a result, the server with the mortgage information was accessed dozens of times.
After receiving one comment on the settlement, which also was announced in December 2020, the Commission voted 2-1-1 to finalize the settlement and to send a response to the commenter, the FTC said.