The Federal Trade Commission said it reached a settlement with CBR Systems over charges that the cord-blood bank failed to adequately protect the personal information of its consumers. The settlement does not require the company to pay a financial penalty.
The FTC's investigation stems from a 2010 theft, during which unencrypted backup tapes, a company laptop, external hard drive and USB drive were stolen from a CBR Systems employee's personal vehicle.
The devices contained 298,000 customers' Social Security numbers and credit and debit card numbers, as well as other personal information. In addition, the stolen laptop and external hard drive contained passwords and protocols that provided access to the company's network, which stored personal health information.
In the complaint, the FTC alleged that the stem cell bank “misrepresented that it maintained reasonable and appropriate practices to protect consumers' personal information from unauthorized access.”
“The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by CBR,” FTC Chairman Jon Leibowitz said in a news release
. “The exposure of this information has the potential to cause real harm to consumers.”
A spokeswoman for CBR Systems, based in San Bruno, Calif., said the FTC has not alleged that the data from the theft was improperly accessed or used. She also said the settlement did not include monetary penalties and did not require an admission that the law was violated.
As part of the settlement, CBR Systems is required to establish an information security system and submit to security audits every other year for the next two decades. The settlement also bars CBR from misrepresenting its privacy and security practices.