The FTC Imposes Data Security Obligations on a Cord Blood Bank
The Federal Trade Commission (FTC or Commission) announced on January 28 that it had reached a settlement with Cbr Systems, Inc. as “part of the FTC's ongoing efforts to protect the security and confidentiality of consumers' sensitive health and financial information.” This enforcement initiative serves as a reminder that the FTC is developing substantive information security requirements that it is prepared to impose on businesses that make representations about the security of consumers' protected information.
As understood by the Commission, Cbr's business is to collect and store umbilical cord blood and umbilical cord tissue for potential medical use. The blood and/or tissue are collected at the time a baby is born and then stored for long periods in anticipation that medical science will develop uses of stem cells they contain that could provide valuable treatments for the child or other persons. Detailed personal information is collected from the expectant mother as well as a “medical history profile, blood typing results, and infectious disease marker results.” Because the blood and tissue are expected to be maintained for a long time, the personal and health information is to be retained as well.
Cbr's security practices apparently became a focus of FTC scrutiny because of a December 2010 incident in which personal information of some 298,000 Cbr customers was, in the FTC's view, “unnecessarily exposed.” The FTC reported that a Cbr employee removed four backup tapes from Cbr's San Francisco, California facility and placed them in a backpack to transfer them to Cbr's corporate headquarters in San Bruno, California, approximately 13 miles away. The backpack also contained a Cbr laptop, a Cbr external hard drive and a Cbr USB drive. Unfortunately, an “intruder removed the backpack from the Cbr employee's personal vehicle.”
Although the FTC does not report that any specific resulting harm has been identified, it found fault in part because the backup tapes were unencrypted. Additionally, the laptop and hard drive, both of which were unencrypted, “contained enterprise network information, including passwords and protocols, that could have facilitated an intruder's access to Cbr's network, including additional personal information contained on Cbr's network.”
The Charged Violation
While the FTC's press release headline indicates Cbr's violation was that it “Failed to Protect Consumers' Sensitive Information,” the proposed complaint relies on the narrower allegation that, prior to October 2011, CBR's website made representations that the FTC deems “deceptive” and thus violative of Section 5(a) of the Federal Trade Commission Act. Specifically, the Cbr website allegedly represented that “CBR takes steps to ensure that your information is treated securely.” The FTC did not claim that statement was false. Rather, the FTC deemed that statement to be a representation that Cbr used “reasonable and appropriate procedures for handling customers' personal information” and then found that representation deceptive because Cbr had not followed the procedures that the Commission believes are reasonable and appropriate.
The FTC's data security principles are described in its pamphlet entitled, “Protecting Personal Information, A Guide for Business,” available at http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business. The Commission addresses five “Key Principles,” namely, Take Stock (know what personal information you have in your files and on your computers); Scale Down (keep only what you need for your business); Lock It (protect the information that you keep); Pitch It (properly dispose of what you no longer need); and Plan Ahead (create a plan to respond to security incidents). Each principle is supported by a “checklist” of points the FTC believes a business should consider. The Commission's complaint was not that Cbr suffered a security breach but rather that Cbr's practices did not measure up well in terms of those principles and checklists.
Cbr's Agreed Obligations
The consent agreement does not involve any cash payment to the government, but, if finalized, it would, like several other recent FTC settlement agreements, impose substantial going-forward compliance burdens for a period of 20 years. In addition to not misrepresenting “the extent to which it uses, maintains and protects the privacy, confidentiality, security, or integrity of personal information,” Cbr must implement and maintain a “comprehensive information security program” for personal information of consumers. Such a program must be “fully documented in writing” and have an “employee” to “coordinate and be accountable” for the program. It must include the “identification of material internal and external risks,” including those in the areas of “employee training and management,” “information systems” and “prevention, detection and response to attacks, intrusions, or other system failures,” as well as the design, implementation and regular testing or monitoring of “reasonable safeguards to control the risks identified.” Similar requirements must be imposed by contract on service providers who receive personal information from Cbr. The program must also provide for making adjustments based on “the results of testing and monitoring,” “material changes to any operations or business arrangements,” or any other circumstances Cbr “has reason to know” may have a “material impact” on the program's effectiveness.
Additionally, Cbr must obtain written assessments of its program made by a person “qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SANS Institute” or someone else approved by the FTC enforcement staff. Those assessments must “set forth” the safeguards Cbr has implemented, explain “how such safeguards are appropriate” and meet the requirements of the settlement agreement. The assessment must “certify” that the “security program” is/has been “operating with sufficient effectiveness to provide reasonable assurance” that the personal information is protected. Such an assessment is required within 180 days following issuance of the consent order and then for every two-year period.
Cbr also will be required to create and maintain other specified records. These include all the materials relied on to prepare an assessment, which must be maintained for three years. It also must maintain, for five years, all compliance-related documents, including all advertisements and promotional materials containing “representations covered” by the order and materials relied on in making such representations, as well as any documents prepared by or for Cbr that “call into question compliance” with the agreed undertakings.
The agreed order will require rather significant burdens to be borne by Cbr over two decades. Because the FTC presently uses a business's representations about its personal information security practices as the hook for imposing such a set of mandates, businesses may wish to evaluate the benefits of making such claims in the absence of having a supporting program such as envisioned by the Commission.