- Not requiring service providers by contract to implement reasonable safeguards and not engaging in reasonable oversight of those service providers;
- Maintaining consumers’ personal information, including Social Security numbers and bank account numbers, in clear text;
- Enabling service providers to access consumers’ complete personal information, even if such information was not necessary for service providers to perform their duties; and
- Neglecting to limit wireless access to their network.
The consent orders with Gene Link and foru prohibit the companies from misrepresenting the extent to which the companies maintain the privacy, security and confidentiality of consumers’ personal information. The consent orders also obligate the companies to implement comprehensive information security programs that are subject to independent assessment on a biennial basis for the next 20 years.