On January 28, 2013, the Federal Trade Commission announced a proposed settlement agreement with CBR Systems, Inc. (“CBR”), an operator of a cord blood bank, which collects personal information about consumers and physicians through its websites and in connection with the provision of its services, including names, addresses, dates of birth, Social Security numbers, credit card numbers and health information.
In the complaint against CBR, the FTC alleged that the company made false and deceptive assurances to consumers that it implemented “reasonable and appropriate” measures to protect consumers’ personal information from unauthorized access. The FTC claimed that CBR in fact had failed to implement such measures, which contributed to a December 2010 security incident. That incident involved the theft of a backpack that contained backup tapes, a company-issued laptop, an external hard drive, a USB drive and other materials. The unencrypted backup tapes contained the personal information of 298,000 consumers, including names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit/debit card numbers, card expiration dates, checking account numbers and contact information. The other portable medial also was unencrypted and contained certain enterprise network information, including passwords and protocols, that could have “facilitated an intruder’s access to CBR’s network.”
The proposed settlement requires CBR to not misrepresent in any manner the extent to which CBR uses, maintains and protects consumers’ personal information. CBR also is required to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years.