Enough Already: Encrypt Those Portable Devices


The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.

In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.

Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.

The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.

The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.