A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data.
Alleged Privacy and Security Violations
The FTC also alleged that 1Health.io stored customers’ genetic data in a publicly accessible “bucket” provided by Amazon Web Services (“AWS”), despite being notified of such during a penetration test of its web application, and by AWS itself. According to the complaint, in an email to 1Health.io, AWS warned 1Health.io that one or more of its storage buckets was “configured to allow read access from any user on the Internet.” 1Health.io allegedly did not correct the issue in time—about two years later, a “security researcher” sent 1Health.io a link to the publicly accessible data, but also notified the news media, resulting in numerous complaints from customers.
Additionally, according to the complaint, 1Health.io’s FAQs stated that DNA saliva samples would be destroyed after analysis. However, the FTC alleged that the company failed to require one of its vendors—a genotyping laboratory partner—to destroy saliva samples after they were analyzed.
There are several takeaways from the 1Health.io action. First, companies should carefully consider implications when making “material” changes to privacy policies governing consumers’ data, especially when sensitive data is implicated. While logistically challenging, in some situations, consent should be considered to minimize risk. Second, companies should carefully, and periodically, review data shared with vendors, including cloud providers, to ensure such vendor systems are configured to secure data from unauthorized access. Simple changes can minimize the risk of security incidents. Third, public-facing statements in privacy policies and even FAQs should always be consistent with business practices. Finally, companies ought to establish, communicate and abide by appropriate retention policies for consumer data.
These lessons learned are important to companies to consider when developing data governance programs guided by good data stewardship principles and fair information practices. You can learn more about developing a “Culture of Data Governance” by clicking the link here.
Epstein Becker Green will be closely following developments related to FTC enforcement in the privacy and data protection space. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.
- Senior Counsel
- Member of the Firm