Inman

Ascension settles with FTC over mortgage data mishap

Have suggestions for products that you’d like to see reviewed by our real estate technology expert? Email Craig Rowe.

Allegations by the Federal Trade Commission (FTC) against Texas-based Ascension Data & Analytics, LLC has resulted in the mortgage data analytics company’s requirement to install an enterprise-wide data security program, according to a press release issued by the FTC.

The case is the result of the commission’s discovery that a vendor of Ascension was not sufficiently protecting personal information for mortgage holders. Under the Gramm-Leach-Bliley Act’s Safeguards Rule, financial institutions are accountable for the actions of vendors, data security being critical to that oversight.

It’s suspected that “tens of thousands” of customers were subject to data mishandling, which the commission states is a direct result of Ascension’s failure to thoroughly examine the operations of its vendor, OpticsML, largely because its company agreement did make data integrity a factor.

The Safeguards Rule, made effective in May 2003, mandates that financial organizations perform risk assessments of vendors.

OpticsML provides scanning technology to translate printed documents into digital resources. The Commission found that the company stored gleaned mortgage data on an insecure cloud server, to the extent where information could be viewed without a password or user permissions. The settlement alleges that the server was accessed.

Ascension’s website lists “document management with OCR” (optimal character recognition) as a featured service.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in the release that financial entities need to remember that vendor management isn’t only sound business practice, it’s a legal requirement.

“Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk … vendor oversight is not just a good idea, it’s the law,” he said.

Ascension’s new plan for data security will undergo review by an independent organization twice a year, per terms of the settlement. There has to be a person designated in charge of the program, and once each year, a senior company representative will provide certification that the effort remains intact and compliant.

As is the case with all mortgage documentation, the records contained a wide array of mortgage holders’ personal information, much of which is considered the most important to protect, such as driver’s licenses, social security numbers, and bank and credit account numbers.

Ascension is also under a 10-day window to report any form of data breach to the FTC, provided it has done so to any other federal or state entity.

The release states that the public will have 30 days to comment on the settlement once published in the Federal Register. A decision on whether to make the proposed consent order final will be made after public comment.

Have a technology product you would like to discuss? Email Craig Rowe

Craig C. Rowe started in commercial real estate at the dawn of the dot-com boom, helping an array of commercial real estate companies fortify their online presence and analyze internal software decisions. He now helps agents with technology decisions and marketing through reviewing software and tech for Inman.