On May 3, the FTC approved a final order settling charges against a California-based cord blood bank firm alleged to have violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC alleged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a manner that made the information vulnerable to theft, and failed to prevent, detect and investigate unauthorized access to computer networks. According to the FTC, these practices resulted in a data breach in which certain portable devices were stolen from an employee’s personal vehicle and the personal information of nearly 300,000 customers was compromised. The settlement requires the company to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and prohibits the company from misrepresenting the privacy and security of information collected from consumers.