Blood Bank Settles FTC Complaint About Customer Data Privacy

By: Ifrah Law

Any company that collects personal information about individuals, such as credit card numbers and social security numbers, must be very careful about the way in which it stores and secures that information. Even a blood bank that stores umbilical cord blood needs to keep these privacy rules in clear view. That is one of the messages of a recent Federal Trade Commission action.

California-based Cbr Systems is one of the leaders in the growing field of umbilical cord storage. Umbilical cords are rich in stem cells, and new parents are paying to have the cord or cord blood stored away for the child’s possible medical use later in life. Cbr acquires and stores the cords for an annual fee.

Cbr also stores a vast amount of information related to these tissues, including names, dates and times of birth, Social Security numbers, credit card numbers, checking account numbers, addresses, and driver’s license numbers. In December 2010, a Cbr employee removed four backup tapes containing this sensitive information in order to transport them to a different office. Soon after, a thief stole the tapes and other company devices from the employee’s car. In all, personal information of nearly 300,000 Cbr customers was compromised. The tapes and other devices were not encrypted.

The FTC pursued this matter because it found that Cbr’s privacy policy was deceptive under the FTC Act. The privacy policy stated, “Whenever Cbr handles personal information, regardless of where this occurs, Cbr takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy.” FTC Chairman Jon Leibowitz said, “The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by Cbr.”

Under the terms of the settlement, Cbr must establish an information security system, submit to security audits every other year for the next 20 years, and ensure that it does not misrepresent its privacy and security practices. A violation of the final order could result in Cbr paying up to $16,000 per violation.

In addition to the FTC action, Cbr clients filed a class action against the company alleging that the company failed to adequately protect the information, and belatedly notified customers of the privacy breach. On February 5, 2013, a federal judge in Johansson-Dohrmann v. CBR Systems Inc., in the U.S. District Court for the Southern District of California, No. 12-1115, granted preliminary approval of a proposed settlement in which CBR must provide credit monitoring and identity theft insurance to each affected class member, as well as make cash reimbursements for any losses resulting from identity theft. The settlement also provides up to $600,000 in payments to the plaintiffs’ lawyers.

Data privacy breaches are a serious concern for any company. They can result in serious reputational harm, as well as financial loss through costly legal actions initiated by the FTC, states, or class actions. The cost of developing and implementing an effective data privacy protocol is a worthwhile investment to guard against these losses. Companies should refer to the FTC’s guides and manuals for protecting consumers’ personal information. Implementing these procedures will serve to protect both consumers and the company itself.