Business Blog
Bank data security (but not that kind of bank)
You spend a good portion of your time trying to protect sensitive information on your network from high-tech hijackers. That’s important, of course. But don’t let it take your eye off the risks posed by good old-fashioned — make that bad old-fashioned — theft. That’s the message businesses can take from the FTC’s settlement with cord blood bank, Cbr Systems, Inc.
New parents have a lot of things to buy — cribs, car seats, and the like. But some moms and dads are paying to store their newborn’s cord blood or umbilical tissue for possible medical purposes. California-based Cbr Systems is big in that business. Of course, that line of work requires the collection of sensitive information from new parents and even from family and friends who use Cbr’s “Gift Registry” service to celebrate the birth with something different from the usual booties and blankets.
According to the FTC, on December 9, 2010, a Cbr employee removed four backup tapes from the company’s San Francisco office and put them in a backpack to bring them to the San Bruno headquarters. Also in the backpack: a Cbr laptop, external hard drive, flash drive, and other company materials.
If you follow what goes on in the data security arena, you can predict what happened next. Four days later, a light-fingered intruder removed the backpack from the employee’s car. What was on the backup tapes? Personal information from close to 300,000 consumers, including names, Social Security numbers, dates of birth, driver’s license numbers, credit and debit card numbers, and even, in the case of adoptions, whether it was open, closed, or via surrogate. And none of the data was encrypted.
The purloined company hardware — also unencrypted — contained enterprise network info like passwords and protocols that could have given an intruder access to more personal data on Cbr’s network.
All that happened against the backdrop of an express promise Cbr made to its customers in its privacy policy:
Whenever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy . . . . Once we receive your transmission, we make our best effort to ensure its security on our systems.
You’ll want to review the complaint for a list of practices the FTC says when taken together establish that Cbr failed to provide reasonable and appropriate security for consumers’ personal information. But among them are transporting portable media in a way that made it vulnerable to theft, failing to take reasonable steps to make backup tapes unreadable in case of unauthorized access, not adequately restricting which employees had access to what information, failing to prevent a service provider’s work from resulting in the company keeping a database it didn’t need anymore, and holding on to data when there was no longer a business reason to retain it.
What can businesses take from the Cbr settlement?
- Protect against network intrusions, of course, but also remember that data breaches can happen through careless physical security. Because information in transit is particularly vulnerable, have policies in place to address those risks appropriately.
- If you make specific claims in your privacy policy (and most companies do), live up your promises. But drafting a privacy policy isn’t a one-and-done project. One tip from security-savvy executives: Put an automatic reminder in your scheduler to reread your policy regularly. Are you still honoring the promises you make?
- Technical tools can boost security, but face-to-face employee training should be a key component of your corporate data security plan. Ask for their advice on detecting and shoring up potential weaknesses in the system. Use real-world examples (like the facts of high-profile data breaches) to drive home the critical role they play in maintaining the security of customer — and employee — information.
- Every company is unique, which is why data security deserves more than a quick cut-and-paste. Craft your comprehensive corporate approach with the nature of your business in mind. For example, if you have a legitimate need to retain financial data, health information, or other confidential material, build in standards appropriate to what’s in your possession.
Bookmark the BCP Business Center's Privacy & Security page for links to the latest.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.