On January 28, 2013, CBR Systems, Inc. (CBR) agreed to settle FTC charges that it failed to protect its customers’ personal information, including nearly 300,000 customers’ Social Security numbers and credit and debit card numbers.

CBR collects and stores umbilical cord blood and umbilical cord tissue for potential medical use.  The company also collects and stores customers’ personal information, including each customer’s name, address, email address, telephone number, date of birth, Social Security number, driver’s license number, credit card number, debit card number, medical health history profile, blood typing results, and infectious disease marker results.  According to the FTC, the misuse of the types of personal information CBR collects—including Social Security numbers, dates of birth, credit card numbers, and health information—can facilitate identity theft, including existing and new account fraud, expose sensitive medical data, and lead to related consumer harms.

Specifically, the FTC alleged that CBR did not use “reasonable and appropriate practices to protect consumers’ personal information from unauthorized access.”  For instance, CBR created unnecessary risks to it customers’ personal information by transporting the information on backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.  CBR also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to its computer networks.

To address the FTC’s concerns, CBR agreed to a settlement.  Specifically, the FTC’s Consent Order, which is available by clicking here, provides that CBR must “establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”  The security program must contain administrative, technical, and physical safeguards appropriate to CBR’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers.  The Consent Order also requires CBR to engage a “qualified, objective, independent third-party professional” to provide reports on CBR’s progress in implementing the provisions in the Consent Order.