Back in December 2010, a computer belonging to Cord Blood Registry (CBR) and a backup tape with customers’ information was stolen from an employee’s unattended vehicle. The breach was disclosed in February 2011, and I covered it on this blog, here.
The FTC charged that Cbr’s failures to provide reasonable and appropriate security for consumers’ personal information contributed to a December 2010 security breach during which unencrypted backup tapes containing consumers’ personal information, a Cbr laptop, a Cbr external hard drive, and a Cbr USB drive were stolen from a Cbr’s employee’s personal vehicle in San Francisco, California. According to the complaint, the unencrypted backup tapes included, in some cases, the names, gender, Social Security numbers, dates and times of birth, drivers’ license numbers, credit and debit card numbers, card expiration dates, checking account numbers, addresses, email addresses, telephone number and adoption type (e.g., open, closed, or surrogate) of approximately 298,000 Cbr customers.
The consent decree places CBR under monitoring and requires them to strengthen their information security program. Because this is CBR’s first action by the FTC, there are no monetary penalties involved.