Caveat Vendor
FTC: Data Security “Promise-Keeper”
February 08, 2013
By Paul Hastings Professional
If it wasn’t already clear, last week brought another reminder: the Federal Trade Commission believes a promise is a promise. A company that promises in its privacy policy that consumers’ personal information will be “treated securely” and that it will use its “best effort” to keep that information safe will be held to that promise if the FTC believes it has fallen short.
A settlement announced last week with Cbr Systems illustrates precisely that point. Cbr Systems is one of the leading providers of umbilical cord blood and tissue banking services. (Parents can pay Cbr systems to store their newborn’s umbilical cord blood and tissue, which contain stem cells that may be used later to treat the child if she develops a life-threatening condition such as leukemia.) The FTC’s complaint alleged that despite having a privacy policy that pledged to ensure the security of consumers’ personal information, Cbr “failed to provide reasonable and appropriate security for consumers’ personal information.”
The breach occurred in 2010, when a Cbr employee removed four backup tapes, a laptop, external hard drive, USB drive and other materials from the company’s San Francisco facility and placed them in a backpack to take them to Cbr’s corporate headquarters in San Bruno, California. Four days later, the backpack was stolen from the employee’s personal vehicle and personal information of almost 300,000 consumers fell into unknown hands. The backup tapes contained names, addresses, Social Security numbers, drivers’ license numbers, credit/debit card numbers and expiration dates, checking account numbers, telephone numbers and email addresses, and in some instances information about adoptions – including whether they were open, closed, or via surrogate. The stolen laptop and external hard drive contained Cbr network information – passwords and protocols – that could have given an intruder access to even more personal information on the company’s network.
Cbr’s privacy policy stated that “[w]henever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy. . . . Once we receive your transmission, we make our best effort to ensure its security on our systems.”
Perhaps not surprisingly, FTC alleged that, despite this pledge to consumers, Cbr lacked reasonable data security policies and procedures and engaged in behavior that created needless risks to consumers’ personal information, including transporting data in a manner that made it vulnerable to theft, retaining sensitive information for which it no longer had a business need, failing to restrict access to personal information to only those employees with a need for the information and failing to take adequate precautions against unauthorized access by not encrypting data on its backup tapes or other portable media.
Because of its failure to live up to the promises made in its privacy policy, the FTC alleged that Cbr’s privacy policy was false or misleading, and that the company engaged in deceptive acts or practices in violation of Section 5(a) of the FTC Act. Under the terms of the settlement, Cbr is required to establish and maintain a comprehensive data security program. The company must also submit to audits by independent security auditors for the next 20 years.
The Cbr case is a reminder that, notwithstanding the absence of federal legislation establishing overarching data security requirements, the FTC will leverage companies’ own promises to consumers to mandate what it believes are reasonable data security practices. Stay tuned; we are sure there is more to come….