Advertisement

July 25, 2014

Data Privacy Day 2013 – Tip #2 – Dust Off Your Information Security Policy (or start putting one in place…)

Do you have a comprehensive information security program?  Many businesses are still operating without one, leaving them open to preventable data breaches.  The importance of info security programs was yet again underscored by the recent settlement between Cbr Systems and the Federal Trade Commission regarding a breach that affected 300,000 consumers.

Cbr Systems operates an umbilical cord blood registry that allows consumers to store newborn cord blood and cord tissue.  In December of 2010 an employee’s Cbr laptop was stolen along with four backup tapes, an external hard drive, a flash drive and other company materials.  The unencrypted backup tapes contained personal information including names, Social Security numbers, dates of birth, driver’s license numbers and credit and debit card numbers.  The company hardware was also unencrypted and contained log in and passwords with which an intruder could access the Cbr networks and potentially other personal information.

The FTC analyzed a host of practices used by Cbr and found that Cbr did not provide reasonable security for consumer’s information.  The practices the FTC looked at included Cbr’s failure to encrypt the information, keeping personal information when there is no longer a business need to do so and not adequately restricting employee access to information.  (Remember, in Massachusetts, this would have been a violation of 201 CMR 17.00).

The extent of this breach could have been limited if Cbr had implemented policies and procedures and trained its employees on and followed standard information security practices.  If you don’t have a comprehensive information security program or if it’s been a while since you reviewed your practices regarding data privacy and security, today is a good day to start.  If you need help please contact one of our privacy attorneys.

©1994-2014 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Amy Malone, Corporate, Securities, Attorney, Mintz Levin, Law Firm
Associate

Amy’s practice is focused on corporate matters, such as compliance with SEC regulations and privacy and security issues.

Prior to joining Mintz Levin, Amy served as the director of privacy at Fidelity Investments. Her work there included overseeing the updates of the firm's privacy notice and coordinating privacy incident response. Amy also served as a legal risk advisor for that company.

617-348-3099

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full