FTC Online Privacy Protection Campaign Kicks Into High Gear

As the Federal Trade Commission settles with a company involving allegations of a massive data breach that exposed medical records, it continues its work evaluating privacy practices of businesses in the Internet age.

By Kenneth Corbin
Mon, January 28, 2013


identity thieves, identity thief, online security
WASHINGTON -- As the Federal Trade Commission continues its work in evaluating the privacy practices of businesses in the Internet age, agency staffers are focusing not only on what personal information companies are collecting and how they're using it, but also on the security measures in place to keep that data out of the hands of would-be identity thieves and other bad actors.

Speaking here at an event to mark Data Privacy Day, an annual initiative led by the nonprofit National Cyber Security Alliance, Commissioner Maureen Ohlhausen stressed that the FTC's privacy work is closely coupled with its consideration of industry security practices.

When businesses fail to implement or enforce strong security practices, they run the risk of suffering a major data breach that can expose sensitive information about their customers, severely damaging the firm's brand and inviting an enforcement action from federal authorities, Ohlhausen warns.

"Data is an increasingly vital asset and companies need to protect their ... customers' personal information from theft and unauthorized access that can hurt customers and harm the business's reputation. That's where data security comes in. Data security is part of the broader topic of data privacy," she says. "Regardless of how one feels about the use of consumer data for marketing or targeting purposes, I believe we can all agree that failure to take reasonable precautions to secure data identity thieves and other malicious parties hurts consumers and legitimate businesses alike."

The timing of Ohlhausen's keynote address was apt. Earlier today, the FTC announced that it had reached a settlement with Cbr Systems, the operator of a cord blood bank, concerning allegations of a data breach that may have exposed sensitive information of nearly 300,000 consumers.

The FTC's complaint against Cbr Systems, which stores umbilical cord blood and tissue, dates to December 2010, when unencrypted backup tapes, a laptop and other equipment were stolen from an employee's car, according to the commission. As a result, sensitive health information, credit card and Social Security numbers and other data were compromised, and the laptop and a hard drive that were stolen included passwords and protocols that could have provided access to Cbr Systems' internal network.

13 Healthcare IT Trends and Predictions for 2013
Top Challenges Facing Healthcare CIOs

The FTC based its complaint on its authority under the section of its charter statute concerning unfair or deceptive practices, maintaining that the company violated its own privacy policy by failing to have in place reasonable policies and procedures for safeguarding its customers' information, and that it courted further risk by carelessly transporting portable storage devices.

Continue Reading

Our Commenting Policies