Many of us are suffering from “new normal” fatigue. As we struggle to understand all the new challenges, some describe the new normal as the same but different. We are tired of the changes forced on us by the pandemic and other events, but in the compliance world, the standards have remained constant. While we do not know what the political shift brought about by the last election cycle will do with any degree of certainty, the popular perception is that we can look forward to increased regulatory scrutiny. With that in mind, this is a good time to revisit the Safeguards Rule.
As the COVID pandemic pushes retailing into the digital realm, and more and more NPI is pushed into the cloud, what steps has your business taken to safeguard this valuable information?
By way of summary, the Safeguards Rule requires you to protect the security, confidentiality, and integrity of customer information through implementing an information security program (ISP), which contains administrative, technical, and safeguard components. In addition, an employee is to be designated to coordinate the ISP; reasonably foreseeable internal and external risks are to be identified and the sufficiency of safeguards are to be assessed; safeguards are to be designed and implemented to address identified risks; regular testing and monitoring of the safeguard’s key controls, systems and procedures is to be done; reasonable steps are to be taken in selecting vendors who maintain appropriate safeguards; vendors are to be contractually required to implement appropriate safeguards; and the ISP is to be evaluated and adjusted in light of monitoring and testing.
Holding a party responsible for the actions of its vendor was the cornerstone of a recent FTC action. In 2020, the FTC brought an enforcement action against Ascension Data & Analytics, LLC (Ascension). Ascension was a data analytics company that obtained mortgage loan information including names, dates of birth, social security numbers, drivers’ license numbers, credit files, and tax returns (collectively non-public personally identifiable financial information or NPI) for 60,593 customers. Ascension outsourced scanning of the NPI to a third-party vendor named PairPrep, Inc. PairPrep stored the NPI on a cloud-based server; however, it misconfigured both the server and storage location so that the NPI was not protected at all. No password was required to access the information, all that was needed to access the NPI was the internet address and storage location. The NPI of the 60,593 customers was stored on this unsecured cloud-based server for more than a year before the lack of security was discovered.
Surprisingly, Ascension did have a policy regarding its vendors and was required to vet the security measures of its vendors; however, it did nothing to assess PairPrep’s security measures. In the proposed Consent Order with the FTC, Ascension neither admits nor denies any of the FTC claims; however, there are some lessons worth noting. The Consent Order required, among other things, that Ascension obtain written documentation of vendors information security policies and practices; provide a written description of safeguards in place to protect NPI; provide written yearly updates; and have a third party perform yearly vulnerability scanning and penetration testing of the vendor, which may not rely solely on assertions or attestations by management. The Consent Order required 10 years of assessments and certification directly to the FTC itself and required Ascension to provide a copy of the Consent Order for 20 years to all listed parties. Each violation of the Consent Order (e.g. failure to safeguard customer information) is subject to a penalty of up to $43,280.
The takeaway here is that it is certainly easier to avoid a mess than to clean up a mess. Had Ascension followed its own policy and vetted its vendor, it would not have had to address the FTC enforcement action, suffered damage to its reputation, and caused harm to more than 60,000 of its customers. As the COVID pandemic pushes retailing into the digital realm, and more and more NPI is pushed into the cloud, what steps has your business taken to safeguard this valuable information? More specifically, what steps have you taken to make sure your vendors are safeguarding this information? This case makes it clear that your vendor’s failures are your failures. Warren Buffet says that risk comes from not knowing what you are doing. We now know that risk also comes from not knowing what your vendors are doing. Managing that risk will continue to be a constant in the years ahead. Stay safe.
Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney-client relationship is being created by your review or use of this material.
© 2021 Robert J. Wilson, All Rights Reserved
Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group, creator of the Virtual Compliance Manager® (“VCM”).