Metallic key in keyhole on blue digital code background

Blood Bank Settles FTC Complaint About Customer Data Privacy

Blood Bank Settles FTC Complaint About Customer Data Privacy

February 8, 2013

Blood Bank Settles FTC Complaint About Customer Data Privacy

By: Ifrah Law

Any company that collects personal information about individuals, such as credit card numbers and social security numbers, must be very careful about the way in which it stores and secures that information. Even a blood bank that stores umbilical cord blood needs to keep these privacy rules in clear view. That is one of the messages of a recent Federal Trade Commission action.

California-based Cbr Systems is one of the leaders in the growing field of umbilical cord storage. Umbilical cords are rich in stem cells, and new parents are paying to have the cord or cord blood stored away for the child’s possible medical use later in life. Cbr acquires and stores the cords for an annual fee.

Cbr also stores a vast amount of information related to these tissues, including names, dates and times of birth, Social Security numbers, credit card numbers, checking account numbers, addresses, and driver’s license numbers. In December 2010, a Cbr employee removed four backup tapes containing this sensitive information in order to transport them to a different office. Soon after, a thief stole the tapes and other company devices from the employee’s car. In all, personal information of nearly 300,000 Cbr customers was compromised. The tapes and other devices were not encrypted.

The FTC pursued this matter because it found that Cbr’s privacy policy was deceptive under the FTC Act. The privacy policy stated, “Whenever Cbr handles personal information, regardless of where this occurs, Cbr takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy.” FTC Chairman Jon Leibowitz said, “The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by Cbr.”

Under the terms of the settlement, Cbr must establish an information security system, submit to security audits every other year for the next 20 years, and ensure that it does not misrepresent its privacy and security practices. A violation of the final order could result in Cbr paying up to $16,000 per violation.

In addition to the FTC action, Cbr clients filed a class action against the company alleging that the company failed to adequately protect the information, and belatedly notified customers of the privacy breach. On February 5, 2013, a federal judge in Johansson-Dohrmann v. CBR Systems Inc., in the U.S. District Court for the Southern District of California, No. 12-1115, granted preliminary approval of a proposed settlement in which CBR must provide credit monitoring and identity theft insurance to each affected class member, as well as make cash reimbursements for any losses resulting from identity theft. The settlement also provides up to $600,000 in payments to the plaintiffs’ lawyers.

Data privacy breaches are a serious concern for any company. They can result in serious reputational harm, as well as financial loss through costly legal actions initiated by the FTC, states, or class actions. The cost of developing and implementing an effective data privacy protocol is a worthwhile investment to guard against these losses. Companies should refer to the FTC’s guides and manuals for protecting consumers’ personal information. Implementing these procedures will serve to protect both consumers and the company itself.

Ifrah Law

Ifrah Law

Ifrah Law is a passionate team of experts that understands the importance of listening to and addressing specific concerns of clients – when facing the heat of a federal investigation or the ire of a business competitor. Experience in complex cases related to online gambling and sports betting, internet marking and advertising, and white collar litigation.

Related Practice(s)
Other Posts
Temporary relief from compliance obligations under the Corporate Transparency Act
FTC Beat |
Dec 5, 2024

Temporary relief from compliance obligations under the Corporate Transparency Act

By: Steven Eichorn
FTC’s Operation AI Comply Generated in Part by Fear of Scale
FTC Beat |
Oct 24, 2024

FTC’s Operation AI Comply Generated in Part by Fear of Scale

By: Jordan Briggs
FTC Adds COPPA Violations to the Growing List of Privacy Concerns While TikTok is on the Clock
Aug 13, 2024

FTC Adds COPPA Violations to the Growing List of Privacy Concerns While TikTok is on the Clock

By: Jordan Briggs
The FTC Kills Noncompetes
FTC Beat |
Apr 30, 2024

The FTC Kills Noncompetes

By: George Calhoun

Subscribe to Ifrah Law’s Insights