August 18, 2017

August 17, 2017

Subscribe to Latest Legal News and Analysis

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

Data Privacy Day 2013 – Tip #2 – Dust Off Your Information Security Policy (or start putting one in place…)

Do you have a comprehensive information security program?  Many businesses are still operating without one, leaving them open to preventable data breaches.  The importance of info security programs was yet again underscored by the recent settlement between Cbr Systems and the Federal Trade Commission regarding a breach that affected 300,000 consumers.

Cbr Systems operates an umbilical cord blood registry that allows consumers to store newborn cord blood and cord tissue.  In December of 2010 an employee’s Cbr laptop was stolen along with four backup tapes, an external hard drive, a flash drive and other company materials.  The unencrypted backup tapes contained personal information including names, Social Security numbers, dates of birth, driver’s license numbers and credit and debit card numbers.  The company hardware was also unencrypted and contained log in and passwords with which an intruder could access the Cbr networks and potentially other personal information.

The FTC analyzed a host of practices used by Cbr and found that Cbr did not provide reasonable security for consumer’s information.  The practices the FTC looked at included Cbr’s failure to encrypt the information, keeping personal information when there is no longer a business need to do so and not adequately restricting employee access to information.  (Remember, in Massachusetts, this would have been a violation of 201 CMR 17.00).

The extent of this breach could have been limited if Cbr had implemented policies and procedures and trained its employees on and followed standard information security practices.  If you don’t have a comprehensive information security program or if it’s been a while since you reviewed your practices regarding data privacy and security, today is a good day to start.  If you need help please contact one of our privacy attorneys.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

The frictionless flow of information is a defining feature of today’s information economy. Your organization’s ability to transfer customer data, employee files, financial records, and other information around the country or the globe quickly and cheaply has opened a world of new opportunities. Privacy laws vary by jurisdiction and are interpreted unpredictably, and even if your business is extremely conscientious, it can make a false step as it captures, uses, transfers, and discloses personal information. The consequences can be serious and even devastating — heavy...