FTC Finalizes Order with Mortgage Analytics Firm, Requiring it to Strengthen Security Safeguards, Increase Oversight of Vendors

The Federal Trade Commission has given final approval to a settlement with a mortgage industry data analytics firm that will require the company to bolster its data security protections and oversight of its vendors to ensure third-party providers are also complying with those safeguards.

In a complaint first announced in December 2020, the FTC alleged that Texas-based Ascension Data & Analytics, LLC violated the Gramm-Leach Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information. The FTC alleged that Ascension failed to do this.

The FTC alleged that a vendor Ascension hired to perform text recognition scanning on mortgage documents stored the contents of the documents—which included names, dates of birth, Social Security numbers and other personal information—on a cloud-based server in plain text, without any protections to block unauthorized access, such as requiring a password. As a result, the server with the mortgage information was accessed dozens of times.

After receiving one comment on the settlement, which also was announced in December 2020, the Commission voted 2-1-1 to finalize the settlement and to send a response to the commenter.

Chair Lina M. Khan did not participate. Commissioner Rebecca Kelly Slaughter voted no and issued a dissenting statement.