A common corporate governance concept is to “hire people who are smarter than you”. The concept also applies to hiring vendors – hire vendors who are better than you (especially when it comes to information security). Texas-based Ascension Data & Analytics LLC (Ascension), a technology and data analytics firm used by the mortgage industry, has not used this concept when hiring providers and has recently entered into a proposed settlement agreement with the Federal Trade Commission ( FTC) after she was accused of violating the protections of the Gramm-Leach-Bliley Act (GLBA) by failing to ensure that the third party provider adequately protects the mortgage holder’s personal information.
According to the FTC Security Rule, financial institutions for which the FTC is responsible * must protect the security, confidentiality, and integrity of customer information by developing, implementing, and maintaining a comprehensive written information security program that includes administrative, technical, and physical safeguards that the financial institutions provide the size and complexity, the nature and scope of its activities and the sensitivity of the customer information concerned are appropriate. According to the FTC complaint against Ascension, in hiring OpticsML as a third party vendor, Ascension did not evaluate OpticsML’s security measures (also in violation of Ascension’s own guidelines). In addition, the FTC alleged that Ascension’s contract with OpticsML did not adequately require OpticsML to implement appropriate security measures. Finally, the complaint alleged that Ascension had not identified any reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information and assessed the security measures in place to control these risks in relation to the vendor’s engagement.
The FTC alleged that as a result of Ascension’s failure, sensitive personal information of tens of thousands of consumers was inaccessible on the Internet for a year. During the year that the sensitive personal information was unsecured, approximately 52 unauthorized IP addresses accessed servers and locations that contained the sensitive information (most of which was connected to computers outside of the United States, including addresses from Russia and China).
The proposed settlement requires Ascension: 1) to implement and maintain a comprehensive data security program with extensive supplier management requirements; 2) Conduct independent evaluations of the effectiveness of its data security program every two years that the FTC has the authority to approve; 3) Submit annual certification from an Ascension officer of Ascension’s compliance with the terms of the settlement; and 4) report all future data breaches to the FTC within 10 days of notifying other federal or state authorities.
In a press release announcing the deal, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, was quoted as saying: “Vendor surveillance is a critical part of any comprehensive data security program, especially when those vendors can compromise sensitive consumer data. If you’re a financial firm, vendor monitoring isn’t just a good idea – it’s the law. “
The comparison offers a valuable lesson about supplier management for all companies – not just those subject to the GLBA. Effective supplier risk management is an absolutely important component in a company’s security program. A company’s security program is only as strong as its weakest link. So when you include vendors, companies would be better off hiring and managing appropriately to ensure their vendors aren’t that weak.
* Other financial regulators enforce the protection rule against companies that are subject to their regulation, e.g. B. The Securities and Exchange Commission, the Office of the Currency Auditor and the FDIC, and the National Credit Union Administration.