Data Privacy Day 2013 – Tip #2 – Dust Off Your Information Security Policy (or start putting one in place…)
Do you have a comprehensive information security program? Many businesses are still operating without one, leaving them open to preventable data breaches. The importance of info security programs was yet again underscored by the recent settlement between Cbr Systems and the Federal Trade Commission regarding a breach that affected 300,000 consumers.
Cbr Systems operates an umbilical cord blood registry that allows consumers to store newborn cord blood and cord tissue. In December of 2010 an employee’s Cbr laptop was stolen along with four backup tapes, an external hard drive, a flash drive and other company materials. The unencrypted backup tapes contained personal information including names, Social Security numbers, dates of birth, driver’s license numbers and credit and debit card numbers. The company hardware was also unencrypted and contained log in and passwords with which an intruder could access the Cbr networks and potentially other personal information.
The FTC analyzed a host of practices used by Cbr and found that Cbr did not provide reasonable security for consumer’s information. The practices the FTC looked at included Cbr’s failure to encrypt the information, keeping personal information when there is no longer a business need to do so and not adequately restricting employee access to information. (Remember, in Massachusetts, this would have been a violation of 201 CMR 17.00).
The extent of this breach could have been limited if Cbr had implemented policies and procedures and trained its employees on and followed standard information security practices. If you don’t have a comprehensive information security program or if it’s been a while since you reviewed your practices regarding data privacy and security, today is a good day to start. If you need help please contact one of our privacy attorneys.