It’s been an interesting few weeks for those who have followed the Cord Blood Registry (CBR) data breach.
As background: back in February 2011, CBR disclosed that backup tapes with 300,000 people’s information had been stolen from an employee’s unattended vehicle in December 2010. CBR offered those affected one year of free credit monitoring and indicated that they had improved their security. That didn’t satisfy everyone, it seems, as a potential class action lawsuit was filed (Johansson-Dohrmann v. CBR Systems, Inc.).
Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained. In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.
The settlement included putting CBR under monitoring for 20 years and barred any misrepresentation of their privacy and security protections.
Now today, a judge gave preliminary approval to the class-action lawsuit. Thomson Reuters reports:
Under terms of the proposed settlement, reached last November, CBR will have to provide credit monitoring and identity theft insurance to each affected class member [for up to two years], as well as cash reimbursements for any losses resulting from identity theft.
Plaintiff’s lawyer Patrick Keegan estimated that the credit monitoring package was worth up to $112 million to the class members, according to court documents. The settlement also provides up to $600,000 in payment to the plaintiff’s lawyers.
I wonder how much this breach cost CBR, in total. Investigating the breach to determine who had what information on the devices and who required notification, defending against the lawsuit and the FTC, having to hire auditors, the cost of ID theft insurance and credit monitoring, and improvements to its security are not cheap, even though the majority of class members will likely not even sign up for the free credit monitoring.
And all because devices with unencrypted PII were left in an unattended vehicle.
I bet they won’t do that again. Or at least, I hope they won’t. The FTC cannot fine first offenders, but if there’s another incident, the FTC could seek heavy monetary penalties.
And I bet they breathed a sigh of relief that they are not a HIPAA-covered entity, or HHS/OCR would have been investigating them, too. As it is, it is still possible that states attorney general could take action, although if we haven’t seen any such press releases by now about investigations, I tend to doubt we will.