Cord Blood Bank Settles FTC Charges that it Failed to Protect Consumers’ Sensitive Personal Information


On January 28, 2013, CBR Systems, Inc. (CBR) agreed to settle FTC charges that it failed to protect its customers’ personal information, including nearly 300,000 customers’ Social Security numbers and credit and debit card numbers. 

CBR collects and stores umbilical cord blood and umbilical cord tissue for potential medical use.  The company also collects and stores customers’ personal information, including each customer’s name, address, email address, telephone number, date of birth, Social Security number, driver’s license number, credit card number, debit card number, medical health history profile, blood typing results, and infectious disease marker results.  According to the FTC, the misuse of the types of personal information CBR collects—including Social Security numbers, dates of birth, credit card numbers, and health information—can facilitate identity theft, including existing and new account fraud, expose sensitive medical data, and lead to related consumer harms.

Specifically, the FTC alleged that CBR did not use “reasonable and appropriate practices to protect consumers’ personal information from unauthorized access.”  For instance, CBR created unnecessary risks to it customers’ personal information by transporting the information on backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.  CBR also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to its computer networks.

To address the FTC’s concerns, CBR agreed to a settlement.  Specifically, the FTC’s Consent Order, which is available by clicking here, provides that CBR must “establish and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”  The security program must contain administrative, technical, and physical safeguards appropriate to CBR’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers.  The Consent Order also requires CBR to engage a “qualified, objective, independent third-party professional” to provide reports on CBR’s progress in implementing the provisions in the Consent Order.

Reporter, John Carroll, Washington, D.C., +1 202 626 2993,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.