Two marketers of genetically customized nutritional supplements have agreed to settle Federal Trade Commission (“FTC”) charges of deceptive advertising claims and lax information security practices. Apparently, the main purpose of the FTC’s investigation had to do with unsubstantiated advertising claims about Genelink’s products, but the FTC took the opportunity to also question the security processes employed by Genelink. The FTC’s complaint charges that Genelink deceptively and unfairly claimed that it had taken reasonable and appropriate security measures to safeguard and maintain personal information from nearly 30,000 consumers. Genelink collected genetic information, social security numbers, bank account information, and credit card numbers. The complaint alleges that Genelink did not require service providers to have appropriate safeguards for personal information, and failed to use readily available security measures to limit wireless access to its network. The proposed order requires Genelink to establish and maintain a comprehensive information security program and to submit to security audits by an independent auditor every other year for 20 years. As I have said before, sometimes the ongoing compliance obligations are much more burdensome and costly than any fines or penalties imposed by regulators.