Privacy & Information Security Law Blog

On January 28, 2013, the Federal Trade Commission announced a proposed settlement agreement with CBR Systems, Inc. (“CBR”), an operator of a cord blood bank, which collects personal information about consumers and physicians through its websites and in connection with the provision of its services, including names, addresses, dates of birth, Social Security numbers, credit card numbers and health information.

In the complaint against CBR, the FTC alleged that the company made false and deceptive assurances to consumers that it implemented “reasonable and appropriate” measures to protect consumers’ personal information from unauthorized access. The FTC claimed that CBR in fact had failed to implement such measures, which contributed to a December 2010 security incident. That incident involved the theft of a backpack that contained backup tapes, a company-issued laptop, an external hard drive, a USB drive and other materials. The unencrypted backup tapes contained the personal information of 298,000 consumers, including names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit/debit card numbers, card expiration dates, checking account numbers and contact information. The other portable medial also was unencrypted and contained certain enterprise network information, including passwords and protocols, that could have “facilitated an intruder’s access to CBR’s network.”

According to the FTC’s complaint, between March 2006 and October 2011, CBR stated in its privacy policies and statements that “[w]herever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy…. Once we receive your transmission, we make our best effort to ensure its security on our systems.” The FTC alleged that CBR “created unnecessary risks to personal information,” including by (1) transporting portable media containing personal information in a manner that made the media vulnerable to theft, (2) failing to adequately supervise a service provider, (3) failing to take reasonable steps to render backup tapes unusable, unreadable or indecipherable, (4) not adequately restricting access to databases which contained personal information to only those employees who needed such access, and (5) failing to destroy consumers’ personal information for which there was no longer a business need. In addition, the FTC alleged that CBR failed to employ sufficient measures to detect and investigate unauthorized access to its computer networks.

The proposed settlement requires CBR to not misrepresent in any manner the extent to which CBR uses, maintains and protects consumers’ personal information. CBR also is required to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years.

Update: On May 3, 2013, the FTC approved the final settlement order with CBR.