The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.
In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.
Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.
The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.
The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.