* Firm not penalized but must improve data policies
* Data from nearly 300,000 clients stolen from car
* Financial data, Social Security numbers stolen
WASHINGTON, Jan 28 California-based CBR Systems
Inc, which stores stem cells from umbilical cord blood, has
settled charges that poor data protection policies led to the
exposure of hundreds of thousands of clients' Social Security
numbers and financial data, the Federal Trade Commission said on
While there are no rules generally regarding how personal
information must be safeguarded, the FTC pursues companies that
are particularly sloppy or which promise to safeguard clients'
personal information and then do not.
The commission, however, does not have the authority to
penalize firms for misrepresentation.
CBR Systems, which says it is the world's largest stem cell
bank, had pledged to customers that it safeguarded their
clients' personal data but in fact it did not, the FTC said.
In one incident, on Dec. 9, 2010, a CBR employee took
unencrypted backup tapes, a laptop computer, an external hard
drive, a USB drive and other materials from a CBR office in San
Francisco to transport them to the nearby corporate
headquarters, the FTC said in its complaint.
The data and devices were left in the employee's car and was
stolen, the FTC said.
The stolen data affected 298,000 clients and included such
information as names, gender, Social Security numbers, drivers'
license numbers and credit and debit card numbers, the complaint
The data also included passwords that could have been used
to break into CBR's network, the complaint added.
"The FTC can and will take action to make sure that
companies live up to the privacy promises they make to
consumers, particularly when it comes to highly sensitive
information like the health information collected by CBR," FTC
Chairman Jon Leibowitz said in a statement.
Under the settlement, CBR must set up and maintain an
informational security program and submit to security audits by
independent auditors every year for 20 years, the FTC said.
CBR Systems has since begun encrypting sensitive data and is
now in compliance with the FTC requirements, said Kathy Engle,
the company's director of corporate communications.
"It is an ongoing problem. Companies collect sensitive
personal information and don't do enough to safeguard it," said
Marc Rotenberg, director of the Electronic Privacy Information
Center. "They didn't even routinely encrypt the information that
(Reporting by Diane Bartz; Editing by Dan Grebler)