The story started in October 2023 when the genetic-testing company 23andMe announced a massive data breach. Private genetic and non-genetic information of around 6.9 million users was accessed by a hacker. The breach not only had a large scope, but a layered one as well. Hackers worked their way around the company’s relative-finder tool to access a larger swath of data.
As a result, the company 23andMe was taken to court for a class-action case in San Francisco that argued the company not only failed to notify its users in a timely manner, but that their data was sought specifically by Chinese and Ashkenazi Jewish users, amongst others, and was listed for sale on the dark web.
The $30 million 23andMe settlement to make amends for the fall-out from the breach looks big. But look a little more closely, and then look a little more closely again. It’s only $5 million of that total that’s set aside to compensate users, and claims of extraordinary claims of financial loss will be rewarded with up to $10,000. The rest is attorney fees.
At least the good news is that 23andMe has to ramp up its cybersecurity infrastructure. The settlement requires the company to ‘dramatically strengthen’s its protections, including providing the affected users with ‘Privacy & Medical Shield + Genetic Monitoring’; as well as assuaging any historic concerns about the company’s ability to protect its customers’ precious genetic material.
For users caught in this cybersecurity quagmire, millions of whose data was stolen, the legal path to redress will be to visit the class-action settlement website (rolled out this summer). The site is where companies and individuals can register their claims. The process will no doubt be time-consuming, but it also provides an opportunity to achieve some form of redress – however minimal. It won’t make the breach go away completely, but it will put someone on the hook to make it right.
The recent settlement of a complaint over 23andMe’s breach of customer privacy is somewhat unique in the order of things, but ultimately it reflects a phenomenon increasingly characteristic of the information age: the lack of security surrounding all those bits and bytes when they get into the hands of biotech firms. The stakes get higher and higher as they explore ever more deeply into the human genome. The bottom line: stronger cybersecurity and clear communication standards could help to keep a lid on such breaches.
At its heart, the 23andMe data breach settlement is a milestone for digital privacy in the biotech sector, conveying key lessons about how this balance between innovation and the dictates of data protection must be struck. 23andMe’s effort to ramp up its cybersecurity measures marks the firm’s attempt to respond to this challenge. As the broader industry moves forward, more must follow suit. These interventions would not only require the right technology, but also the creation of an atmosphere of trust and security for those exploring genetic testing.
The word ‘boost’ appears several times in this discussion, and the subject of the saga on 23andMe settlement should impart one key lesson. To ‘boost’ here means something quite specific: it refers to a dramatic increase or strengthening of cybersecurity measures, a preventative measure to reduce future risk and build user trust. In the literal sense, it signals the specific need to improve safeguards for the biotech industry and the tech industry at large. In a digital age of vulnerabilities, ‘to boost security’ means to react in the now and account for the future of cybersecurity and user safety and privacy.
© 2024 UC Technology Inc . All Rights Reserved.