Cord Blood Bank Settles FTC Charges that it Failed to Protect Consumers’ Sensitive Personal Information


On January 28, 2013, CBR Systems, Inc. (CBR) agreed to settle FTC charges that it failed to protect its customers’ personal information, including nearly 300,000 customers’ Social Security numbers and credit and debit card numbers. 

CBR collects and stores umbilical cord blood and umbilical cord tissue for potential medical use.  The company also collects and stores customers’ personal information, including each customer’s name, address, email address, telephone number, date of birth, Social Security number, driver’s license number, credit card number, debit card number, medical health history profile, blood typing results, and infectious disease marker results.  According to the FTC, the misuse of the types of personal information CBR collects—including Social Security numbers, dates of birth, credit card numbers, and health information—can facilitate identity theft, including existing and new account fraud, expose sensitive medical data, and lead to related consumer harms.

Specifically, the FTC alleged that CBR did not use “reasonable and appropriate practices to protect consumers’ personal information from unauthorized access.”  For instance, CBR created unnecessary risks to it customers’ personal information by transporting the information on backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.  CBR also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to its computer networks.

To address the FTC’s concerns, CBR agreed to a settlement.  Specifically, the FTC’s Consent Order, which is available by clicking here, provides that CBR must “establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”  The security program must contain administrative, technical, and physical safeguards appropriate to CBR’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers.  The Consent Order also requires CBR to engage a “qualified, objective, independent third-party professional” to provide reports on CBR’s progress in implementing the provisions in the Consent Order.

Reporter, John Carroll, Washington, D.C., +1 202 626 2993,

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.