FTC Investigating How DNA Testing Firms Protect User Data
It appears the FTC has obliged U.S. officials and begun investigating the data security practices of DNA testing companies like 23andMe and Ancestry.com.
The Federal Trade Commission is reportedly looking into how DNA testing companies protect their customers' personal information, like genetic data.
The business magazine Fast Company broke the news last week after the FTC denied a Freedom of Information Act request by the publication to look into the records pertaining to 23andMe and Ancestry.com, perhaps the two largest DNA testing companies operating currently.
In a response to the publication the FTC said any records “would be exempt from disclosure . . . because disclosure of that material could reasonably be expected to interfere with the conduct of the Commission’s law enforcement activities.”
In its response to Fast Company the FTC cited 5 U.S.C. 552(b)(7)(A) - an exemption under the Freedom of Information Act (5 USC 552) - that exempts "records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information... could reasonably be expected to interfere with enforcement proceedings.
It's not surprising, especially in the wake of this spring's Cambridge Analytica scandal, that the FTC wants to key in on what kind of information these companies have on users and how exactly they may or may not be sharing it with third parties.
While Facebook inadvertently exposed the information of 87 million users as part of the Cambridge Analytica debacle, including users’ identities, friend networks and “likes,” if leaked, the sensitive data parsed by DNA testing companies could be even more ruinous.
Analysts on Data-Centric Security
While the space is already popular, a marketing research report released earlier this year suggests the direct-to-consumer (DTC) DNA test business is poised to explode in several years. Kalorama Information, which publishes research around biotechnology, medical devices, and healthcare, said in February the market could triple from $99 million to $310 million by 2022.
The news happened to coincide with a report last week that MyHeritage, an Israeli firm that tests DNA and allows users to access their online family trees, suffered a breach last year. While DNA data wasn't compromised in the incident 92 million of its users emails and hashed passwords were. Omer Deutsch, the company's Chief Information Security Officer, said he received a message from a security researcher who came across a file, "myheritage," that contained the data.
In an update over the weekend the company reaffirmed to users that there has been no evidence of unauthorized access to accounts and further data, like DNA.
"DNA data is protected by additional layers of security and does not reside on the same system that stores user credentials. A user can download their own DNA data, but the procedure for that requires not just password entry but also authorization through the user’s mailbox, so it cannot be done even by someone who knows your password. Our internal statistics showed no increase in DNA data downloads throughout the past year," the company wrote in a blog entry on Sunday.
For what it's worth the company has been transparent about its actions following the breach. The company expired all of its users' passwords on June 5, the day after its disclosure; it deployed two-factor authentication the next day, Wednesday. MyHeritage is still in the middle emailing its users and will log out users who haven't logged out and logged back in for a while, something that will take some time, according to the company.
While the FTC still hasn’t publicly said its looking into DNA testing companies, it did urge consumers to recognize the risks associated with firms like 23andMe and Ancestry.com last year.
Lesley Fair, a Senior Attorney for the FTC's Bureau of Consumer Protection, advised would-be DNA test kit users to exercise caution before giving their data away to a company.
“A company’s out-of-the-box defaults often aren’t the most private options, so it’s unwise simply to accept a site’s automatic settings. A more prudent approach to consider is to select more protective options initially and revisit your choices once you’ve become familiar with how the site operates,” Fair wrote at the time.
The FTC's warning came a few weeks after DNA kit makers raised the ire of Sen. Chuck Schumer (D-NY). Schumer, in a press conference in New York City, called on the agency to investigate how the companies operate, adding that “many [consumers] don’t realize that their sensitive information may end up in the hands of many other third party companies.”
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business