A California blood and tissue bank has agreed to settle Federal Trade Commission (FTC) charges stemming from a breach that affected nearly 300,000 consumers.
The FTC on Monday announced the settlement, which requires Cbr Systems to create and maintain a security program and, for the next 20 years, undergo independent security audits every other year. Cbr Systems will also be barred from misrepresenting its privacy and security practices.
The FTC alleged that Cbr, which collects and stores umbilical cord blood and tissue to be used for stem cell research and potential disease treatment, “misrepresented that it maintained reasonable and appropriate practices to protects consumers' personal information from unauthorized access,” an FTC analysis of the consent agreement said.
In December 2010, four backup tapes, a laptop, external hard drive and USB device containing unencrypted data were stolen from a Cbr employee's vehicle. Data on the devices included names, birth dates, Social Security numbers, driver's license numbers, checking account numbers, credit and debit card numbers, and other sensitive information of approximately 298,000 consumers.
The unencrypted data on the stolen laptop and external hard drive both contained enterprise network information, including passwords and protocols, which an attacker could have used to gain access to Cbr's network, the FTC said.
Since May 2011, the FTC has brought 32 legal actions against organizations that the agency contends misled consumers about the security of their sensitive information or violated their privacy rights.
A Cbr spokesperson could not immediately be reached for comment on the settlement.
UPDATE: A Cbr spokeswoman told SCMagazine.com on Tuesday that none of the data on the stolen devices was used fraudulently. She also said unencrypted data on the devices did not include health information.
"The FTC has not alleged that any company data from that [incident] has been improperly accessed or used," she said.
[An earlier version of this story incorrectly stated that medical health data of donors, and the credit and debit card information of donors' friends and family were exposed in the breach].