FTC: Data Security “Promise-Keeper”
By Paul Hastings Professional
The breach occurred in 2010, when a Cbr employee removed four backup tapes, a laptop, external hard drive, USB drive and other materials from the company’s San Francisco facility and placed them in a backpack to take them to Cbr’s corporate headquarters in San Bruno, California. Four days later, the backpack was stolen from the employee’s personal vehicle and personal information of almost 300,000 consumers fell into unknown hands. The backup tapes contained names, addresses, Social Security numbers, drivers’ license numbers, credit/debit card numbers and expiration dates, checking account numbers, telephone numbers and email addresses, and in some instances information about adoptions – including whether they were open, closed, or via surrogate. The stolen laptop and external hard drive contained Cbr network information – passwords and protocols – that could have given an intruder access to even more personal information on the company’s network.
Perhaps not surprisingly, FTC alleged that, despite this pledge to consumers, Cbr lacked reasonable data security policies and procedures and engaged in behavior that created needless risks to consumers’ personal information, including transporting data in a manner that made it vulnerable to theft, retaining sensitive information for which it no longer had a business need, failing to restrict access to personal information to only those employees with a need for the information and failing to take adequate precautions against unauthorized access by not encrypting data on its backup tapes or other portable media.
The Cbr case is a reminder that, notwithstanding the absence of federal legislation establishing overarching data security requirements, the FTC will leverage companies’ own promises to consumers to mandate what it believes are reasonable data security practices. Stay tuned; we are sure there is more to come….