The recent $30 million settlement between 23andMe and 6.4 million users following a major data breach offers important lessons for businesses dealing with sensitive genetic and genomic information. The breach has put a spotlight on the unique challenges facing companies in this rapidly growing sector.
For companies that manage genetic or genomic data, the settlement underscores the critical need for stronger cybersecurity measures. As part of the settlement, 23andMe is required to enhance its password protections, implement multi-factor authentication, and conduct annual security audits—highlighting how businesses need to stay ahead of evolving threats to data security.
Moreover, the case illustrates the legal risks tied to genetic privacy laws. States like California, Illinois, Alaska, and Oregon have enacted statutory damages for violations of these laws, which means that even in situations where no direct harm is caused, companies can face significant financial penalties. This is a clear reminder that businesses must be fully aware of and compliant with state-specific privacy regulations.
Perhaps the most telling part of the settlement is the introduction of Privacy & Medical Shield + Genetic Monitoring, a service designed to help victims of the breach monitor and safeguard their data. This move reflects the growing expectation that companies not only prevent breaches but also take comprehensive steps to protect customers when things go wrong.
For organizations handling genetic and genomic data, 23andMe’s settlement serves as a cautionary tale: as the collection of such data grows, so too does the need for rigorous safeguards, thoughtful compliance, and strategic breach response plans.
While the stolen information varied by user, much of it included the customer's name, sex, birth year, ancestry information, location and family tree information, among other data.
"For a small number of customers, the threat actor also accessed personal information about the customer's present or future health based on the analysis of their genetic data, their self-reported health information, and their uninterpreted genotype data," the filing notes.
www.law360.com/...
