The Federal Trade Commission has charged genetic testing firm 1Health.io for failing to implement data security practices and misleading customers about the privacy of their information in violation of Section 5(a) of the FTC Act. As part of a proposed settlement with the FTC, 1Health may be required to pay $75,000 in consumer refunds, while also being subject to various cybersecurity restrictions.
This action follows the FTC's recent biometric policy statement, which cautioned against the misuse of biometric information that could harm consumers. As the first case of its kind, this action provides insight into the FTC's approach to privacy and the security of genetic information with significant implications for companies that handle such data.
Compromised Privacy and Security of Genetic Data
San Francisco-based 1Health, formerly known as Vitagene, sells DNA health test kits and uses the results, combined with information provided by customers, to produce reports about their health, wellness, and ancestry. In its complaint, the FTC alleged that 1Health made numerous deceptive claims concerning its privacy practices, and failed to keep its promise of exceeding industry-standard security practices. Instead, the company:
- Did not separate DNA from other identifying information;
- Did not have an inventory of consumers' information, and could not delete all customer information for customers who requested deletion of their data;
- Did not have a contract and procedures to ensure that the lab that analyzed its DNA samples properly destroyed them;
- Stored unencrypted health, genetic, and other personal information in publicly accessible data buckets without restricting or monitoring its access; and
- Received at least three warnings over a two-year period before addressing the data exposure and notifying affected customers.
To rectify these issues, the proposed order requires that 1Health instruct labs to destroy saliva samples pursuant to their agreement. In addition, the firm must implement a comprehensive information security program that utilizes specific security technologies, is assessed at least annually, and is tested annually for the effectiveness of security controls. The program must be assessed by a qualified, objective, independent third party professional every two years for the next 20 years. A "senior corporate manager" must certify compliance with the Order on an annual basis. All incidents of unauthorized disclosures of consumers' personal health data must be reported to the FTC. CEO Mehdi Maghsoodnia criticized the FTC's action as "extraordinary overreach."
Retroactively Changed Privacy Policy Without Notifying Customers
According to the FTC, 1Health also changed its privacy policy retroactively without sufficiently informing or obtaining consent from consumers whose data it had already collected. Its update expanded the type of third parties with which it may share consumers' data, including, for example, supermarkets and nutrition and supplement manufacturers.
As part of the proposed order, 1Health will be required to obtain consumers' affirmative express consent to share health data with third parties. The Director of the FTC's Bureau of Consumer Protection cautioned that "companies that try to change the rules of the game by re-writing their privacy policy are on notice."
Next Steps and Implications for the Industry
The proposed order was strongly accepted by the FTC in a 3-0 vote. After a 30-day public comment period, the FTC will determine whether to finalize the agreement. The FTC appears to be on the verge of following in the enforcement footsteps of the New York Department of Financial Services. Regulators are coalescing on a series of security requirements across industries. Companies should make sure that they have a cybersecurity program in place with detailed policies and procedures. Risk assessments should be conducted to determine the risks to company data and systems, with a section of the assessment focused on the risks to sensitive personal information. The program should include testing of the effectiveness of controls. Companies need to have a comprehensive data inventory, clear data retention schedules, and use formalized data minimization practices. Additionally, the intense focus by regulators on third party management means that companies cannot simply rely on the representations of vendors. They need to obtain proof that data is being handled, protected, and destroyed in an appropriate and timely manner.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
