Laptop Data Encryption And Mobile Security: Cbr Systems Settles With FTC, Nearly 300,000 Affected.

Cbr Systems, a cord-blood bank, has agreed to settle with the US Federal Trade Commission over a number of charges.  Among them lies the accusation that Cbr didn’t provide adequate data security, a situation that could have been partially addressed via the use of AlertBoot endpoint encryption for laptops and external hard drives.

Over 300,000 Affected in 2011

In 2011, I had lightly covered the Cbr situation, noting that “customer names, SSNs, driver’s license numbers, and credit card numbers” were lost due to the theft of a laptop computer and backup tapes from an employee’s car.  However, my biggest question at the time was, is this or is this not a HIPAA breach?

To HIPAA or Not to HIPAA?

Cbr had expressly stated that HIPAA does not apply to them, despite the fact that they worked in a sector that many would consider as “medical”: handling blood and tissue from umbilical cords of newly-born infants.  Today, we know that the statement must have been true because the company came to a settlement with the FTC and not with the Office of Civil Rights at the Department of Health and Human Services (HHS), which is in charge of enforcing HIPAA regulations.

You might be wondering what’s going.  In a nutshell, it comes down to this:  Not all medical organizations are subject to HIPAA/HITECH.  That’s because organizations need to meet certain conditions before they are subject to HIPAA.  For example, an organization is subject to HIPAA if it receives payments electronically.  Consequently, those who only deal with cash wouldn’t need to follow HIPAA (not that this is the only condition).

However, this does not mean that medical organizations not subject to HIPAA do not need to follow the rules found under HIPAA: Those who are not accountable to the HHS, which enforces HIPAA, are accountable to the FTC, which, according to some experts, has even stricter rules.  For one thing, not only do they require that an organization protect personal data at the same level that HIPAA requires (well, they don’t actually state that…but it’s a given, really), the FTC can add other charges that are unrelated to medical issues.

Like charges of fraud and deception.

FTC Works to Prevent Fraudulent, Deceptive, and Unfair Business Practices

The mission of the FTC reads as follows:

To prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity. []

What is “deceptive,” though, exactly?  Well, if we are to take a cue from the FTC’s past actions, it turns out that promises made but not kept are deceptive business practices.  For example, take the Cbr case:

In its privacy policy, Cbr claimed that “[w]henever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy…”

However, the FTC found that the US’s leading cord blood bank wasn’t quite living up to its promises in its privacy policy (my emphasis):

…Cbr failed to use reasonable and appropriate procedures for handling customers’ personal information, making its privacy policy claim deceptive under the FTC Act.  According to the complaint, Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained.  In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.  According to the FTC, Cbr also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to computer networks.

The non-use of proven and established security technologies like full disk encryption for laptops, which are de rigueur in any company that handles sensitive personal data – and, dare I say, pretty well established as a breach prevention policy – can only add fuel to the charges in this case.

Related Articles and Sites:

Comments (0)

Let us know what you think