The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers' personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers' licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee's car for several days.
In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers' personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank "to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers." The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.
Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.
The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.
The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.
For more information, visit our Data Governance Law blog at www.datagovernancelaw.com
About Fraser Milner Casgrain LLP (FMC)
FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
