(Clarifies that company is working towards compliance rather than completed the task in paragraph 11)
* Firm not penalized but must improve data policies
* Data from nearly 300,000 clients stolen from car
* Financial data, Social Security numbers stolen
WASHINGTON, Jan 28 (Reuters) - California-based CBR Systems Inc, which stores stem cells from umbilical cord blood, has settled charges that poor data protection policies led to the exposure of hundreds of thousands of clients' Social Security numbers and financial data, the Federal Trade Commission said on Monday.
While there are no rules generally regarding how personal information must be safeguarded, the FTC pursues companies that are particularly sloppy or which promise to safeguard clients' personal information and then do not.
The commission, however, does not have the authority to penalize firms for misrepresentation.
CBR Systems, which says it is the world's largest stem cell bank, had pledged to customers that it safeguarded their clients' personal data but in fact it did not, the FTC said.
In one incident, on Dec. 9, 2010, a CBR employee took unencrypted backup tapes, a laptop computer, an external hard drive, a USB drive and other materials from a CBR office in San Francisco to transport them to the nearby corporate headquarters, the FTC said in its complaint.
The data and devices were left in the employee's car and were stolen, the FTC said.
The stolen data affected 298,000 clients and included such information as names, gender, Social Security numbers, drivers' license numbers and credit and debit card numbers, the complaint said.
The data also included passwords that could have been used to break into CBR's network, the complaint added.
"The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by CBR," FTC Chairman Jon Leibowitz said in a statement.
Under the settlement, CBR must set up and maintain an informational security program and submit to security audits by independent auditors every year for 20 years, the FTC said.
CBR Systems has since begun encrypting sensitive data and is working towards complying with the FTC requirements, said Kathy Engle, the company's director of corporate communications.
"It is an ongoing problem. Companies collect sensitive personal information and don't do enough to safeguard it," said Marc Rotenberg, director of the Electronic Privacy Information Center. "They didn't even routinely encrypt the information that they collected." (Reporting by Diane Bartz; Editing by Dan Grebler and Bob Burgdorfer)