June 17th, 2025
What:
After filing for Chapter 11 bankruptcy earlier this year, genetic testing company 23andMe is facing lawsuits from 27 states (and Washington D.C.) regarding their decision to sell customer genetic data. State's argue that 23andMe cannot sell sensitive genetic data without express, informed consent from customers. 23andMe maintains that "Customers will continue to have the same rights and protections in the hands of the winning bidder.", but what does that really mean?
Security & Privacy Implications:
High-value data: Genetic data is immutable and inherently identifiable, making it a prime target for attackers.
Credential stuffing breach in 2023 affected ~7 million users—highlighting failures in account protection and the absence of multi-factor authentication.
Bankruptcy weakens defenses: Staffing reductions and uncertainty can degrade a company’s ability to detect and respond to cyber threats.
Genetic data reveals health risks, ancestry, and familial connections. Unlike email or financial records, it can’t be changed or anonymized effectively.
Transferring data under bankruptcy conditions—without informed, opt-in consent—sets a dangerous precedent for consumer data rights.
Consumer trust has eroded, with 2 million+ users requesting deletion of their data since the bankruptcy announcement.
Key Considerations:
The Nature of the Data Matters
Not all personal data is equal. Biometric and genetic data require special handling due to their permanence and sensitivity.
Third-Part Vendors = Third-Party Risk
Vendors and service providers like 23andMe are data processors, often outside the scope of HIPAA or equivalent regulations.
Without clear data-sharing agreements, your organization—and your customers—are exposed to inherited risk.
Consent ≠ Checkbox
“Implied” or “blanket” consent is no longer enough. Explicit, informed, revocable consent must be the standard for handling any sensitive or high-risk data.
Recommendations:
For Consumers -
Review vendor privacy policies and opt out of unnecessary data retention or sharing options.
Use strong passwords + MFA to prevent credential stuffing attacks.
Request deletion of your genetic and personal data if trust is lost or no longer needed.
For Companies -
Consider using a third-party risk management solution to conduct regular security assessments of third-party vendors.
Use strong encryption, access controls, and breach detection for sensitive data environments.
Classify and segment sensitive data, especially if it includes genetic, health, or biometric identifiers.
When Drafting or Reviewing Third-Party Agreements -
Require specific consent management provisions for data subjects.
Include clear data breach reporting timelines and responsibilities.
Specify data deletion protocols on contract termination or vendor shutdown.
Add audit rights to review the vendor’s security posture.
Read the full article HERE