DNA testing has long been a hot-button issue for security and privacy. Concerns about everything from law enforcement and data retention to job offers and insurance have all been examined at great length. With millions of people signing up to use these services, it was only a matter of time before something went wrong.
Well, the inevitable legal clash is now here and comes courtesy of the Federal Trade Commission which has made a complaint in relation to an alleged failure to protect client privacy. From the FTC release:
According to the FTC, close to 2,400 reports about consumers and “raw genetic data” of at least 227 people was at risk. This is because despite claims of rock solid security, sensitive data was being stored in publicly accessible Amazon Web Service buckets. According to the complaint, the data in the storage buckets was not encrypted, no monitoring was taking place with regard to who was accessing it, and there were no access restrictions in place either.
In fact, the company was warned “at least” three times across a two year period about the insecure buckets. When a security researcher contacted the company in 2019 regarding the buckets, the issue was finally investigated and the customers whose data was potentially exposed were notified.
Elsewhere, promises related to destroying retained DNA samples with a consumer’s name or other identifying information were not kept. 1Health—previously known as Vitagene—claimed on its website that DNA was not stored, and that consumers could delete their personal information at any time. When this request occurred, the company said, the data would be scrubbed from the company’s servers and all DNA saliva samples would be similarly destroyed once they had been analyzed.
Some examples given are supermarket chains and nutrition/supplement manufacturers. There was no need to notify consumers who had previously shared personal data with the company, nor was there a need to obtain their consent to share it, according to the complaint.
In terms of what happens next, the DNA firm must pay $75,000 which the FTC will use for consumer refunds. Additionally, under the proposed order, the company:
- Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
- Must notify the FTC about incidents of unauthorised disclosure of consumers’ personal health data; and
- Must implement a comprehensive information security program addressing the security failures outlined in the complaint.
All of this is in addition to the DNA deletion requirement.
The consent agreement package will be made live soon, at which point the public can comment for 30 days prior to the decision on whether the proposed consent order is made final.
This may be the case which makes people think twice about handing over valuable DNA data to organisations claiming to use top of the line security measures alongside consumer friendly privacy policies. If major alterations can be applied retroactively, you may be at risk. The FTC has this to say:
Depending on both your location and that of the company you had your data too, the FTC may not be able to do something about it should something go wrong at a later date.
We don’t just write about threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.