According to the FTC Complaint, Cbr took unnecessary risks by allowing employees to transport personal data contained on backup tapes, laptops, and other electronic devices in a way that made the information vulnerable to theft. The FTC alleged that such practices contributed to a December 2010 security breach in which unencrypted backup tapes, a Cbr laptop, external hard drive, and thumb drive were stolen from an employee’s personal vehicle. The stolen devices contained personal data, including the names, addresses, contact information, and credit card numbers of nearly 300,000 customers.
Settlement Provisions: In resolving these allegations, the FTC settlement bars Cbr from making material representations about the extent to which the company maintains the privacy and security of consumers’ personal information. The settlement also requires Cbr to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years. Going forward, a violation of the settlement could expose the company to up to $16,000 per violation.
What This Settlement Signals: Not coincidently, the FTC announced the settlement on January 28, National Data Privacy Day. The timing underscore that, in 2013, the FTC will continue to hold companies accountable for the representations that they make to consumers regarding their privacy practices, and for appropriately securing the personal data in their control.