FTC’s Privacy Focus Continues in 2013: Blood Bank Data Breach Leads to Settlement

This week, the FTC announced a settlement with Cbr Systems, Inc., the operator of a leading cord blood bank, over charges that the company failed to protect the security of its customers’ personal information, and that inadequate security measures led to a data breach affecting approximately 300,000 consumers. The FTC claimed that Cbr’s alleged actions and privacy policy claims were deceptive and violated the FTC Act.

FTC’s Complaint Allegations: Cbr offers a service through which consumers can pay to preserve and store a newborn’s umbilical cord blood and tissue that contain stem cells, the use of which researchers are investigating to treat certain diseases and conditions. Cbr’s privacy policy claims that, in all instances, Cbr takes steps to ensure that its customers’ personal information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy. . . .”

According to the FTC Complaint, Cbr took unnecessary risks by allowing employees to transport personal data contained on backup tapes, laptops, and other electronic devices in a way that made the information vulnerable to theft. The FTC alleged that such practices contributed to a December 2010 security breach in which unencrypted backup tapes, a Cbr laptop, external hard drive, and thumb drive were stolen from an employee’s personal vehicle. The stolen devices contained personal data, including the names, addresses, contact information, and credit card numbers of nearly 300,000 customers.

Settlement Provisions: In resolving these allegations, the FTC settlement bars Cbr from making material representations about the extent to which the company maintains the privacy and security of consumers’ personal information. The settlement also requires Cbr to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years. Going forward, a violation of the settlement could expose the company to up to $16,000 per violation.

What This Settlement Signals: Not coincidently, the FTC announced the settlement on January 28, National Data Privacy Day. The timing underscore that, in 2013, the FTC will continue to hold companies accountable for the representations that they make to consumers regarding their privacy practices, and for appropriately securing the personal data in their control.