Blood bank settles FTC charges for failing to protect personal information

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://thehill.com/blogs/hillicon-valley/technology/279605-ftc-announces-data-breach-settlement-

The Federal Trade Commission (FTC) agreed to settle charges with cord
blood bank Cbr Systems after alleging that its weak security practices
led to a security breach that exposed the Social Security, credit and
debit card numbers of roughly 300,000 customers, Commissioner Maureen
Ohlhausen said on Monday.

Ohlhausen said the blood bank, which stores umbilical cord blood and
tissue, suffered a security breach in 2010 after a company laptop,
hard drive and unencrypted backup tapes that contained consumers'
personal information were stolen from an employee's car. The backup
tapes had people's Social Security numbers, driver's license numbers,
birth dates and credit- and debit-card information stored on them.

Under the terms of the settlement, Cbr Systems agreed to establish an
information security program, and is subject to third-party audits
every other year for 20 years.

Speaking at a data privacy event hosted by the National Cybersecurity
Alliance, Ohlhausen also provided a brief outline of the commission's
plans for data-security matters this year. She said the commission
will continue its study on the data broker industry. Last month the
FTC asked nine large data broker companies to provide the agency with
information about how they collect and use data about consumers.

The FTC will receive the data brokers' submissions next month and then
decide how to proceed after studying that feedback, said Ohlhausen, a
Republican commissioner at the FTC. The agency said it plans to make
recommendations on whether the data broker industry needs to improve
its privacy practices.

Ohlhausen declined to comment further on the type of action the agency
expects to take with respect to data brokers but said she expects the
issue will be a "hot topic of discussion" in Congress in the "days
ahead."

The FTC will continue to keep an eye on new advances in facial
recognition technology, Ohlhausen said. The commission issued a set of
guidelines this past fall for companies that employ the technology,
which is used to identify people in photographs by their facial
features.

Going forward, Ohlhausen said the commission will pay attention to
whether companies are appropriately securing data that's collected via
facial recognition software and giving consumers notice on how they
plan to use that data and protect it. She said the FTC will also look
at whether companies engage in deceptive practices while using facial
recognition technology, such as using the data for a different purpose
than the one they originally stated.

She voiced support for Congress to pass a federal data breach
notification law to replace the patchwork of data-breach rules in
various states. Efforts to pass a federal data breach notification
standard have enjoyed bipartisan support over the years, but a bill
has failed to pass Congress so far.

"I believe a single standard would let companies know what to do and
consumers know what to expect," Ohlhausen said.

She added that data breach legislation should be carefully crafted so
it does not impose "undue costs" on businesses. The commissioner
expects this type of measure "will likely get some traction in the new
Congress" due to the past support it's received on both sides of the
aisle, but cautioned that "it's always hard to predict what Congress
will do."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.