FTC Obtains Settlement from Cord Blood Bank in Data Theft Action

FTC Privacy/Cyber Risk & Data Security

On February 5, a federal district court in California approved a settlement recently obtained by the FTC, which (i) requires a California-based firm that operates a cord blood bank to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and (ii) prohibits the company from misrepresenting its privacy and security practices. The FTC alleged that the firm violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC charged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a way that made the information vulnerable to theft, and failed to prevent, detect, and investigate unauthorized access to computer networks. According to the FTC, this resulted in a December 2010 breach in which certain portable devices were stolen from an employee’s personal vehicle and the names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit and debit card numbers, and other personal information of nearly 300,000 customers were compromised. The FTC also alleged that certain of the portable devices could have permitted an intruder to access the firm’s network, which contained sensitive personal health information.