Some secrets are so secret that no one knows about them. Until recently, this also described the secrets locked in our DNA. But key to consumer confidence in the booming genetic testing market is the extent to which people can rely on companies’ promises that “your secrets are safe with us.” In the first case involving the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. (now known as 1Health.io) failed to deliver on its promises and unfairly made changes without customer consent. Important Privacy Policy. agree. The proposed settlement and other recent actions send a loud and clear message that the FTC is fully committed to protecting consumer health messaging.
After consumers pay $29 to $259 to send Vitagene a saliva sample and answer online questionnaires about their health history, family history and lifestyle, the company provides them with a personalized health report. The report includes the client’s full name and an assessment of their risk for a range of health problems.
The company’s website, which uses images of locks, keys and secure clouds, is peppered with statements about its commitment to handling consumers’ genetic information with care. Here are some of the company’s promises.
- “We use industry standard security practices to store your DNA sample, your test results and any other personal data you provide.”
- “rock–Solid security. We use the latest technology and exceed industry standard security practices to protect your privacy. ”
- “Vitagene collects, processes and stores your personal information in a responsible, transparent and secure environment to enhance customer trust and confidence.”
- “Your data is yours to control. You can delete your data at any time. This will delete your information from all our servers. “
- “Three ways we protect your privacy: 1. Your results and DNA samples will not be stored containing your name or any other common identifying information. 2. Vitagene will destroy your physical DNA saliva sample after analysis. 3. We will not share your information with any third party without your explicit consent.
There’s good talk about privacy and security, but according to the FTC, Vitagene is more talk than action. You’ll have to read the complaint to find out the details, but part of the story starts in the cloud. As part of its IT infrastructure, Vitagene uses well-known cloud service providers to store confidential information, including consumer health reports and DNA data. Instead of using built-in measures to protect the information, Vitagene allegedly stored it in “buckets” so that anyone with Internet access could view detailed reports for nearly 2,400 Vitagene customers. Also available: Raw genetic data on at least 227 other clients, sometimes identified by name.And Vitagini promise “Exceed industry–Standard Security Practices,” the FTC said the company did not encrypt this data, restrict access to the data, monitor access, or inventory the data to help ensure its security. The complaint also alleges that Vitagene failed to take steps to ensure Alab for analysisd much There is a destruction policy for DNA samples.
What’s more, the complaint alleges that Vitagene received three separate warnings over two years that it was storing customers’ health and genetic information in a publicly accessible manner. Warning #1: A message posted by the cloud provider in July 2017 stated that Vitagene had configured its data to “allow read access to anyone on the network.”Email includes link Account control panel and information on how to restrict access. Vitagene’s response: crickets.
Warning #2 comes from a security company that conducted a web application penetration test in November 2018 and “discovered that the uploaded DNA data had been stored…”. . . There is no access control. ” The complaint alleges that Vitagene again Failure to correct the situation.
Warning #3 is an email sent to the Vitagene support inbox by security researchers in June 2019.After researchers contacted the media, the FTC said The company finally investigated It publicly exposes customers’ health information.However, because Vitagene does not monitor who accesses or downloads this data, it cannot determine who else may have seen this information..
Vitagene’s alleged missteps didn’t end there. In 2020, the company changed its privacy policy, retroactively expanding the types of third parties with which it may share consumer data, including grocery chains, dietary supplement manufacturers, and others.it did so without notice Customers who provided information under a previous more stringent privacy policy and obtain their consent.
The complaint alleges the company was false or misleading in its promises to exceed industry safety standards, store DNA results without providing identifying information, delete data at consumer request and destroy physical DNA samples. More importantly, the FTC claimed that the company’s subsequent changes to its privacy policy on sharing sensitive personal information with third parties were an unfair practice and violated the FTC Act. Although Vitagene’s original privacy policy stated that after the company posted a revised privacy policy, a customer’s access to or use of the company’s services meant that the consumer had accepted the revised terms, the language did not‘t Relieves Vitagene from its obligation to provide notice and obtain consumer consent before making material retroactive changes to its privacy practices. Additionally, the complaint alleges that Vitagene acted unfairly, even though the company has not yet implemented the broader information-sharing practices set out in its revised privacy policy.
To resolve the case, 1health.io agreed to implement a comprehensive information security program, including third-party assessments every other year. In addition, executives must certify annually that the company complies with the terms of the settlement. proposed settlement also Includes $75,000 in financial compensation. You will have 30 days after the settlement agreement appears in the Federal Register to submit public comments.
What can other companies learn from the FTC’s action?
Sensitive health information, including genetic information, requires intensive care. If your company collects or maintains consumer health information, you raise the bar for the privacy and security standards that must be implemented. Pay special attention to demonstrating your commitment to data practices. (By the way, if you haven’t read the FTC’s May 2023 Biometric Information Policy Statement, please set aside time now.)
Just because the data is in your hands doesn’t mean it’s yours. Collecting consumer data doesn’t mean you can do whatever you want with it. Consumers have the right to know in advance how you intend to use their information, and you have a legal obligation to comply with your representations. This means that if you want to change your practices in the future, bait-and-switch changes to your privacy policy won’t be enough. You will need to obtain explicit consent from consumers for any new uses of their data.
As far as security is concerned, keeping your stuff in the cloud doesn’t mean you can keep your head in the cloud. The Federal Trade Commission has long said that storing data in the cloud does not give companies a free pass to security. You are still responsible for taking reasonable steps to protect your data – for example, by properly configuring cloud security settings and inventorying and auditing your cloud storage. As the FTC’s request for information on cloud computing makes clear, sellers of cloud technology and the companies that use its services share a responsibility to protect consumers’ personal information.
Respond to credible warnings of potential security vulnerabilities. Complaints against Vitagene say the company repeatedly failed to heed alerts from other companiess – including its cloud storage provider – Questions have been raised about the security of its cloud-based information. Do you have systems in place to ensure these alerts reach the right people and get the immediate attention they deserve?
1 Comment
Real great info can be found on web site.Blog monetyze