On May 12, 2014, the Federal Trade Commission announced that it has approved final consent orders with two companies that marketed genetically customized nutrition supplements. In addition to charges that the companies’ claims regarding the effectiveness of their products were not sufficiently substantiated, the settlements also allege that the companies misrepresented their privacy and security practices. The two companies, Gene Link, Inc. (“Gene Link”) and foru™ International Corp. (“foru” – a former subsidiary of Gene Link), represented in their privacy policy that they had “taken every precaution to create a process that allows individuals to maintain the highest level of privacy” and that the companies’ third-party service providers are “contractually obligated to maintain the confidentiality and security of the Personal Customer Information and are restricted from using such information in any way not expressly authorized” by the companies.

According to the FTC’s complaints against Gene Link and foru, the companies failed to provide appropriate security measures to protect consumers’ personal information by:

  • Not requiring service providers by contract to implement reasonable safeguards and not engaging in reasonable oversight of those service providers;
  • Maintaining consumers’ personal information, including Social Security numbers and bank account numbers, in clear text;
  • Enabling service providers to access consumers’ complete personal information, even if such information was not necessary for service providers to perform their duties; and
  • Neglecting to limit wireless access to their network.

The consent orders with Gene Link and foru prohibit the companies from misrepresenting the extent to which the companies maintain the privacy, security and confidentiality of consumers’ personal information. The consent orders also obligate the companies to implement comprehensive information security programs that are subject to independent assessment on a biennial basis for the next 20 years.