Skip to Content
Coronavirus Updates:

Knowledge

You Can’t Outsource Information Risk: Non-Bank Financial Institutions Must Ensure that Vendors Protect Sensitive Information

January 22, 2021

On December 15, 2020, the Federal Trade Commission (FTC) announced a settlement with a mortgage industry data analytics company requiring the implementation of a comprehensive data security program. This settlement underscores the requirement that all “financial institutions” subject to the FTC’s jurisdiction must require service providers to protect customer information as part of a comprehensive information security program. 

The FTC Complaint

The FTC alleged that Ascension Data & Analytics, LLC (Ascension Data) violated the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued under Title I of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801, et seq., by failing to ensure that one of its vendors had adequately secured the non-public personal information (“customer information”) of mortgage holders.

The FTC’s authority to enforce the Safeguards Rule covers certain “financial institutions” that are “significantly engaged” in providing financial products or services. This definition includes check-cashing businesses, mortgage companies, mortgage brokers, payday lenders, nonbank lenders, personal property or real estate appraisers, and debt collectors – but not banks, savings and loan institutions, and federal credit unions.

The Information Security Program Required by the Safeguards Rule

The Safeguards Rule requires financial institutions to protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive information security program. Of particular relevance is 16 C.F.R. Section 314.4(d):

Assure that contractors or service providers are capable of maintaining appropriate safeguards for [customer information], and require all such third parties, by contract, to implement and maintain an information security program.

According to the FTC Complaint, Ascension’s contracts with its service providers did not make those vendors responsible for protecting customer information, state that vendors were subject to the Safeguards Rule, or specify the safeguards that vendors had to implement. As a result, an Ascension vendor hired to conduct Optical Character Recognition (OCR) scanning of certain mortgage documents left the sensitive personal information of tens of thousands of consumers unprotected on the internet for more than a year.

Ongoing Risk Management is Critical

Suppose a financial institution is putting customer information into the hands of third parties. In that case, the financial institution must exercise ongoing risk management over the third-party vendor contract “lifecycle” to include planning, vendor selection, contract negotiation to include specific requirements, and ongoing oversight. As cited often, you can outsource the technology services, but you cannot outsource the risk.

Adams and Reese’s Privacy, Cybersecurity, and Data Management team has previously reported on the importance of vendor management in the cybersecurity space. It will continue to monitor developments in this arena.