BreachExchange mailing list archives
Blood bank settles FTC charges for failing to protect personal information
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Tue, 29 Jan 2013 12:48:26 -0500
http://thehill.com/blogs/hillicon-valley/technology/279605-ftc-announces-data-breach-settlement- The Federal Trade Commission (FTC) agreed to settle charges with cord blood bank Cbr Systems after alleging that its weak security practices led to a security breach that exposed the Social Security, credit and debit card numbers of roughly 300,000 customers, Commissioner Maureen Ohlhausen said on Monday. Ohlhausen said the blood bank, which stores umbilical cord blood and tissue, suffered a security breach in 2010 after a company laptop, hard drive and unencrypted backup tapes that contained consumers' personal information were stolen from an employee's car. The backup tapes had people's Social Security numbers, driver's license numbers, birth dates and credit- and debit-card information stored on them. Under the terms of the settlement, Cbr Systems agreed to establish an information security program, and is subject to third-party audits every other year for 20 years. Speaking at a data privacy event hosted by the National Cybersecurity Alliance, Ohlhausen also provided a brief outline of the commission's plans for data-security matters this year. She said the commission will continue its study on the data broker industry. Last month the FTC asked nine large data broker companies to provide the agency with information about how they collect and use data about consumers. The FTC will receive the data brokers' submissions next month and then decide how to proceed after studying that feedback, said Ohlhausen, a Republican commissioner at the FTC. The agency said it plans to make recommendations on whether the data broker industry needs to improve its privacy practices. Ohlhausen declined to comment further on the type of action the agency expects to take with respect to data brokers but said she expects the issue will be a "hot topic of discussion" in Congress in the "days ahead." The FTC will continue to keep an eye on new advances in facial recognition technology, Ohlhausen said. The commission issued a set of guidelines this past fall for companies that employ the technology, which is used to identify people in photographs by their facial features. Going forward, Ohlhausen said the commission will pay attention to whether companies are appropriately securing data that's collected via facial recognition software and giving consumers notice on how they plan to use that data and protect it. She said the FTC will also look at whether companies engage in deceptive practices while using facial recognition technology, such as using the data for a different purpose than the one they originally stated. She voiced support for Congress to pass a federal data breach notification law to replace the patchwork of data-breach rules in various states. Efforts to pass a federal data breach notification standard have enjoyed bipartisan support over the years, but a bill has failed to pass Congress so far. "I believe a single standard would let companies know what to do and consumers know what to expect," Ohlhausen said. She added that data breach legislation should be carefully crafted so it does not impose "undue costs" on businesses. The commissioner expects this type of measure "will likely get some traction in the new Congress" due to the past support it's received on both sides of the aisle, but cautioned that "it's always hard to predict what Congress will do." _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Blood bank settles FTC charges for failing to protect personal information Erica Absetz (Jan 29)