On January 28, 2013, the FTC entered into a settlement with Cbr Systems, Inc., a provider of umbilical cord blood and tissue banking services, stemming from the theft of company materials from an employee’s car. 

The complaint alleges that in December 2010, a Cbr employee put four backup tapes from Cbr’s facility, a laptop, an external drive, a USB drive, and other Cbr materials in the employee’s personal vehicle to drive them from the company’s San Francisco office to its San Bruno, California location. Four days later, however, they were stolen from the employee’s car. The backup tapes were unencrypted and contained sensitive personal information on almost 300,000 Cbr customers including their names, social security numbers, dates and times of birth, credit card and drivers’ license numbers, and adoption status. The laptop and hard drive were also unencrypted, and, according to the FTC, contained passwords and other information that could have allowed an unauthorized person to access Cbr’s network.

The FTC pointed to the company’s privacy policy, which provided:

“Whenever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy. … Once we receive your transmission, we make our best effort to ensure its security on our systems.”

The FTC then alleged that the company’s failure to adhere to its privacy policy through the use of “reasonable and appropriate procedures” made the privacy policy claims deceptive under Section 5(a) of the FTC Act.  

The complaint itemizes the company’s failure “to provide reasonable and appropriate security for consumers’ personal information.”  Specifically, the complaint alleges that the company created unnecessary risks to personal information by:

  • Transporting personal information in a manner that made it vulnerable to theft;
  • Failing to take reasonable steps to make personal information unreadable in the case of theft;
  • Failing to adequately supervise a service provider, resulting in retention of a legacy database containing personal information in a vulnerable format on the company’s network, including information for which the company no longer had a business need;
  • Not restricting access to personal information based on an employee’s need for the information; and
  • Failing to destroy consumers’ personal information which Cbr no longer needed.

It also alleges that the company “failed to employ sufficient measures to prevent, detect, and investigate” possible unauthorized access to its network. However, there is no allegation in the complaint that the network was ever accessed by unauthorized persons or that the personal information was misused.

Under the terms of the settlement, Cbr is required to develop and implement a “comprehensive information security program” and submit to independent audits of its compliance with the information security program biennially for the next twenty years. Moreover, the company is barred from misrepresenting its privacy and security practices and is required to submit a written report detailing its compliance with the settlement agreement within sixty days.  The FTC voted unanimously (5-0) to approve the consent agreement.

This settlement is a further reminder to companies and organizations that collect, process, and store consumers’ personal information that the FTC expects them to provide reasonable and appropriate security for this information through its entire lifecycle. As the varied list of allegations in the complaint makes clear, providing reasonable security satisfactory to the FTC can be a multi-layered pursuit and very much a team activity.  Because the case was resolved by settlement, it does not represent judicial findings regarding the scope or requirements of the FTC Act.