Genetic testing provider 23andMe has faced legal challenges following a data breach in October, where a threat actor attempted to sell customer data and later leaked it for 1 million Ashkenazi Jews and 4.1 million people in the UK. The company revealed that 6.9 million individuals were affected by the breach, with data obtained through credential stuffing attacks on customer accounts, exploiting features like ‘DNA Relatives’ and ‘Family Tree.’ In response to the lawsuits stemming from the breach, 23andMe updated its Terms of Use on November 30th, introducing a mandatory arbitration provision for dispute resolution instead of allowing jury trials or class action lawsuits.
The updated Terms of Use stipulate that mandatory arbitration must be used for dispute resolution under specific circumstances. Customers were notified of the change through emails, allowing them 30 days to dispute the new terms by contacting 23andMe.
Those who express disagreement within the timeframe will remain under the previous Terms of Service. Despite the modification, legal experts, such as Nancy Kim, a professor at Chicago-Kent College of Law, suggest that the update may not shield 23andMe from lawsuits, as proving reasonable notice for opting out of the new terms could be challenging.
The data breach incident involved a threat actor employing credential stuffing attacks to compromise user accounts, emphasizing the broader issue of cybersecurity in the genetic testing industry. As genetic testing services handle sensitive health data, ensuring robust security measures and transparent communication with users about potential risks become paramount.
The legal ramifications and evolving privacy concerns associated with such incidents underscore the need for companies like 23andMe to prioritize cybersecurity and maintain proactive measures to protect user information from unauthorized access.
Referral link
