FTC Settlement Highlights the Importance of Consistency Between Data Security Practices and Advertised Privacy Policies

Cbr Systems, Inc. (Cbr), the operator of a cord blood bank based in San Bruno, CA, recently agreed to a settlement with the Federal Trade Commission (FTC) based on allegations that the company violated the FTC Act’s prohibitions against unfair and deceptive practices. Specifically, the FTC charged Cbr with failing to use reasonable and appropriate security procedures in handling customers’ personal information. Cbr’s failure allegedly contributed to a December 2010 breach in which portable unencrypted devices were stolen from an employee’s personal vehicle, resulting in the compromise of nearly 300,000 customers’ personal information.  The FTC reasoned that because Cbr’s security practices were inconsistent with a claim the company made in its online privacy policy regarding the security of personal information collected by the company, the claim was “deceptive” and therefore violated Section 5 of the FTC Act.

Cbr’s “banking” services allow customers to preserve the stem cells contained in their newborns’ umbilical cord blood and tissue, which may prove critical in treating certain diseases and conditions in the future. In providing these services, Cbr collects and stores customers’ personal information, including each customers’ name, address, email address, telephone number, date of birth, Social Security number, driver’s license number, credit or debit card number, and sensitive medical data. Cbr’s privacy policy, which governs the use and protection of customers’ personal information, stated, in relevant part, that “(w)henever Cbr handles personal information, regardless of where this occurs, Cbr takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy.”

According to the FTC, however, Cbr did not have procedures in place to protect the security of the personal information it collected and maintained, in direct violation of the company’s Privacy Policy. In addition, Cbr allegedly created unnecessary risks to its customers’ personal information by, for example, failing to take sufficient measures to prevent, detect, and investigate unauthorized access to its computer networks and by transporting unencrypted portable data storage devices containing personal information in a manner that made the information vulnerable to theft.

To settle the challenge brought by the FTC, Cbr agreed to: (1) establish and maintain a comprehensive information security program; (2) submit to security audits by independent auditors every other year for twenty years; and (3) refrain from misrepresenting its privacy and security practices. According to the settlement, Cbr’s security program must contain “administrative, technical, and physical safeguards appropriate to (Cbr’s) size and complexity, the nature and scope of (its) activities, and the sensitivity of the personal information collected from or about consumers.”

In an official statement, FTC chairman Jon Leibowitz said that “(t)he FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by Cbr.” This case makes it clear that the FTC takes the protection of consumers’ personal information seriously and will not hesitate to take action against companies that do not offer the level of protection claimed in their online privacy policies.

This case should serve as a wake-up call, highlighting the importance of ensuring that claims made in privacy policies (online and otherwise) reflect how a company actually collects, shares, and protects consumers’ personal information. Having a privacy policy written in plain English makes it easier both for consumers to understand the policy and for employees to implement it. It is also a good idea to review current data security policies to determine whether the policies are being followed company-wide. Actions like audits and training for employees and third-party vendors are helpful to ensuring compliance with company policy. Finally, it is crucial to develop a plan for handling a data breach in advance of any security breach. This will help minimize damage to consumers and ensure that necessary disclosures are made to the appropriate authorities in a timely manner.

Arent Fox will continue to monitor this area of the law for further developments. Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas. For more information, please contact Pamela Deese or Anthony Peluso.