The Federal Trade Commission, through orders and settlements, continues to demonstrate that its aiming to improve how companies go about employing data security practices.

One recent settlement – reached in 2020 but not finalized until late last month - will require one company to fortify its data security protections and perform its due diligence when it comes to ensuring that all of their third-party vendors have the appropriate safeguards in place around customer information.

The FTC gave its final approval on the settlement, voting 2-1-1, shortly before Christmas.

According to the settlement, the company, a Texas-based mortgage analytics firm, Ascension Data & Analytics, violated the Gramm-Leach Bliley Act’s Safeguards Rule.

The Safeguards Rule has several requirements, chief among them that financial institutions develop, implement, and maintain a comprehensive information security program, something the government agency claims Ascension didn’t do.

In its first complaint against the company, back in December 2020, the FTC claimed that one of Ascension's third-party vendors, OpticsML, which it hired to carry out text recognition scanning on mortgage documents, failed to secure its documents properly.

The company stored the files "on a cloud-based server in plain text, without any protections to block unauthorized access, such as requiring a password or encrypting the information."

As the information pertained to mortgages, it contained sensitive data, like loan information, credit and debit information, but also valuable PII including names, dates of birth, and Social Security numbers.

It should come as little surprise that this information was of special interest to attackers.

"As a result of the inadequate security, the cloud-based server containing the mortgage data was accessed dozens of times, according to the complaint," the FTC said in 2020.

One of the company's missteps, the FTC says, was failing to vet the security of its third-party vendors, which technically weren't required under contract to safeguard the data. It also didn't conduct risk assessments, something which likely could have given it a sign something was awry.

As part of the settlement, the company agrees not to violate any provision of the Standards for Safeguarding Consumer Information Rule (Safeguards Rule) and to establish, implement, and maintain a comprehensive data security program. After doing so it needs to have third party data security assessments carried out, keep a line of communication open with a third-party information security assessor, and complete an annual certification, among other requirements.

Looking to rectify one of Ascension's mistakes, one of the provisions of the Mandated Data Security Program section of the settlement requires the company to "Select and retain Vendors capable of safeguarding Covered Information they access through or receive from Covered Businesses, and contractually require Vendors to implement and maintain safeguards for Covered Information."

The settlement’s final approval comes a few months after the FTC revised the Safeguard Rule.

It amended it in October, incorporating changes first proposed back in April 2019, to ensure non-banking financial institutions have and maintain a security system designed to keep customer information safe.

The new changes are designed to better inform how companies like mortgage brokers, motor vehicle dealers, collection agencies and payday lenders secure consumer data.

In addition to implementing a comprehensive data security program, the changes adopted by the FTC also requires institutions to designate a single individual, like a Chief Information Security Officer, to oversee their information security program and report risk back to the organization's board of directors, or a senior official in charge of security.