agent Entrepreneur logo
MenuMENU
SearchSEARCH

It’s the Same, but Different

While we do not know what the political shift brought about by the last election cycle will do with any degree of certainty, the popular perception is that we can expect increased regulatory scrutiny.

by Robert J. Wilson, Esq.
March 25, 2021
It’s the Same, but Different

While we do not know what the political shift brought about by the last election cycle will do with any degree of certainty, the popular perception is that we can expect increased regulatory scrutiny.

IMAGE: Kanawatvector via GettyImages.com

4 min to read


Many of us are suffering from “new normal” fatigue. As we struggle to understand all the new challenges, some describe the new normal as the same but different. We are tired of the changes forced on us by the pandemic and other events, but in the compliance world, the standards have remained constant. While we do not know what the political shift brought about by the last election cycle will do with any degree of certainty, the popular perception is that we can look forward to increased regulatory scrutiny. With that in mind, this is a good time to revisit the Safeguards Rule.

As the COVID pandemic pushes retailing into the digital realm, and more and more NPI is pushed into the cloud, what steps has your business taken to safeguard this valuable information?

Ad Loading...

By way of summary, the Safeguards Rule requires you to protect the security, confidentiality, and integrity of customer information through implementing an information security program (ISP), which contains administrative, technical, and safeguard components. In addition, an employee is to be designated to coordinate the ISP; reasonably foreseeable internal and external risks are to be identified and the sufficiency of safeguards are to be assessed; safeguards are to be designed and implemented to address identified risks; regular testing and monitoring of the safeguard’s key controls, systems and procedures is to be done; reasonable steps are to be taken in selecting vendors who maintain appropriate safeguards; vendors are to be contractually required to implement appropriate safeguards; and the ISP is to be evaluated and adjusted in light of monitoring and testing.

Holding a party responsible for the actions of its vendor was the cornerstone of a recent FTC action. In 2020, the FTC brought an enforcement action against Ascension Data & Analytics, LLC (Ascension). Ascension was a data analytics company that obtained mortgage loan information including names, dates of birth, social security numbers, drivers’ license numbers, credit files, and tax returns (collectively non-public personally identifiable financial information or NPI) for 60,593 customers. Ascension outsourced scanning of the NPI to a third-party vendor named PairPrep, Inc. PairPrep stored the NPI on a cloud-based server; however, it misconfigured both the server and storage location so that the NPI was not protected at all. No password was required to access the information, all that was needed to access the NPI was the internet address and storage location. The NPI of the 60,593 customers was stored on this unsecured cloud-based server for more than a year before the lack of security was discovered.

Surprisingly, Ascension did have a policy regarding its vendors and was required to vet the security measures of its vendors; however, it did nothing to assess PairPrep’s security measures. In the proposed Consent Order with the FTC, Ascension neither admits nor denies any of the FTC claims; however, there are some lessons worth noting. The Consent Order required, among other things, that Ascension obtain written documentation of vendors information security policies and practices; provide a written description of safeguards in place to protect NPI; provide written yearly updates; and have a third party perform yearly vulnerability scanning and penetration testing of the vendor, which may not rely solely on assertions or attestations by management. The Consent Order required 10 years of assessments and certification directly to the FTC itself and required Ascension to provide a copy of the Consent Order for 20 years to all listed parties. Each violation of the Consent Order (e.g. failure to safeguard customer information) is subject to a penalty of up to $43,280.

The takeaway here is that it is certainly easier to avoid a mess than to clean up a mess. Had Ascension followed its own policy and vetted its vendor, it would not have had to address the FTC enforcement action, suffered damage to its reputation, and caused harm to more than 60,000 of its customers. As the COVID pandemic pushes retailing into the digital realm, and more and more NPI is pushed into the cloud, what steps has your business taken to safeguard this valuable information? More specifically, what steps have you taken to make sure your vendors are safeguarding this information? This case makes it clear that your vendor’s failures are your failures. Warren Buffet says that risk comes from not knowing what you are doing. We now know that risk also comes from not knowing what your vendors are doing. Managing that risk will continue to be a constant in the years ahead. Stay safe.

Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney-client relationship is being created by your review or use of this material.

Ad Loading...

© 2021 Robert J. Wilson, All Rights Reserved

Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group, creator of the Virtual Compliance Manager® (“VCM”).

Subscribe to Our Newsletter

More Industry

Foreign Cars Italia dealership store in front of sunset
Industryby Hannah MitchellJuly 2, 2026

Luxe N.C. Dealerships Change Hands

A collection of Italian and English brand franchises were handed off to the owner’s friend in the business and include the Carolinas’ only Ferrari retail stores.

Read More →
inside of car, person with hands on black steering wheel
Industryby Lauren LawrenceJuly 2, 2026

Exposure Drives Interest in Chinese Cars

At a recent demonstration, consumers had the chance to ride in a Chinese-branded vehicle, a firsthand experience that improved their perceptions and purchase intent.

Read More →
Woman's hands holding an wallet empty of cash
Industryby Hannah MitchellJuly 1, 2026

Automotive Consumers Sink Further in Debt

Most financing metrics hit records in the second quarter as more buyers locked themselves into long terms and high monthly payments.

Read More →
Ad Loading...
Rob Mancuso sitting in a chair on stage
Industryby Hannah MitchellJuly 1, 2026

Agent Advocate

Rob Mancuso, who comes from a long line of auto dealers, values general agents’ place in the industry and makes a case for them taking an even bigger seat at the table.

Read More →
Photo of a touchscreen on a car's dashboard
Industryby Hannah MitchellJune 25, 2026

Driving Under Distraction

Though consumers gave higher marks to new vehicles in JD Power’s most recent initial-quality poll, high-tech interference worsened, pointing to craving for simplicity.

Read More →
split background green and blue. 2019 to 2025 with car going from starting location to end point. $37,310 and $48,402. Agent Entrepreneur logo
Industryby Lauren LawrenceJune 25, 2026

Affordable New Cars a Thing of the Past

More than one out of five new vehicles sell for more than $60,000, according to Edmunds. That's up 7% compared to prepandemic 2019.

Read More →
Ad Loading...
Photo of multiple new SUVs on a car dealership lot
Industryby Hannah MitchellJune 22, 2026

State Follows Federal Warning on Auto Ads

The Massachusetts attorney general cautioned the state’s automotive dealers to be upfront with the consuming public about their vehicle prices or risk punishment.

Read More →
Gas pumps.
Industryby Lauren LawrenceJune 15, 2026

Consumer Outlook on the Rise

Younger generations are feeling more positive about their financial futures and current affordability pressures than older generations, according to recent TransUnion data.

Read More →
Group photo of men outside storefront.
Industryby Hannah MitchellMay 28, 2026

Pennsylvania Dealership Under New Retailers

The sale of the Chrysler Dodge Jeep Ram store puts a family auto group on a leaner path as first-time dealers take the helm.

Read More →
Ad Loading...
Hallway with lockered wiring and computer
Industryby Lauren LawrenceMay 28, 2026

Battery Storage Takes Priority Over EVs

U.S. automakers are prioritizing battery energy stationary storage over electric-vehicle production as the consumer demand for EVs lags the rest of the world.

Read More →
Ad Loading...