23andMe made a reputation for itself by promoting at-home, mail-in DNA testing kits that gave bizarre individuals a take a look at their potential ancestry in addition to genetic markers that might level to potential medical issues down the highway.
People purchased into the concept and acquired the kits. The firm made some huge cash, and its worth reached as excessive as $6 billion when it went public in 2021. But ultimately demand pale and so did 23andMe’s income. Its worth had dropped to about $50 million final week. The firm additionally suffered a large information breach in 2023, including to its mounting prices and destroying belief in its information safety practices. Late final yr, it stated it could lay off 40% of its workforce.
So it wasn’t a giant shock that after the failure of a last-ditch bid by the CEO to take the corporate non-public, 23andMe in the end filed for Chapter 11 chapter safety in late March, saying it hopes the transfer will assist it shed extra prices and convey in regards to the sale of the corporate.
Now the potential of a sale supervised by a chapter courtroom has information privateness consultants anxious. From a monetary standpoint, 23andMe’s assortment of tens of millions of genetic samples and studies is well its largest asset. But for the corporate’s prospects, it is a few of their most non-public and private data.
In asserting the chapter submitting, Mark Jensen, chair of the particular committee of 23andMe’s board of administrators, stated the corporate “stays dedicated to persevering with to safeguard buyer information and being clear in regards to the administration of consumer information going ahead.”
He added that “information privateness will likely be an essential consideration in any potential transaction.”
But it is unclear how a lot management 23andMe could have over who, if anybody, buys the corporate and what they select to do with its treasure trove of shopper information. In a Chapter 11 sale, it is the choose overseeing the case, and never the corporate itself, who has the ultimate say over who the client is.
“The drawback we’re having at this precise second is that we’ve extra questions than solutions, Aaron Rose, a safety architect with Check Point Software, stated Monday.
Rose famous that whereas customers appeared to shrug off the corporate’s 2023 information breach, which resulted within the compromise of the non-public data of about half the corporate’s 14 million customers at the moment, the filling seems to have been a wanted wake-up name.
“People did not take [the breach] that critically,” Rose stated. “Now we’ve a state of affairs the place we do not know who’s going to imagine possession of this information.”
Worries about information safety
The considered unknown possession has many customers justifiably nervous, Rose stated. And it has some information privateness consultants advising them to delete their 23andMe accounts and request that their samples and different information be destroyed.
Ryan Sulkin, a accomplice on the regulation agency Benesch and chief of its information safety apply group, stated that in a number of methods the case is unprecedented. Though hospitals and medical insurance corporations have been via the Chapter 11 course of, 23andMe’s case may very well be a primary, contemplating the large quantities of biometric and genetic information concerned.
In normal, Sulkin stated, when corporations are bought, peoples’ information stays protected by the privateness coverage in place when that information was collected.
But on the identical time, there is no complete federal privateness regulation in place within the US that might defend the 23andMe information. Laws just like the Health Insurance Portability and Accountability Act, or HIPAA, do not apply on this case, he stated, as a result of although 23andMe’s information could appear medically oriented, it is not well being care information as outlined by that regulation.
Users who stay in one of many about 20 states which have handed their very own information privateness legal guidelines might have some protections, Sulkin stated. And he accurately predicted that the Federal Trade Commission might take an curiosity within the case and make it recognized that it desires customers’ information protected.
FTC Chairman Andrew Ferguson on Monday issued a letter to the U.S. Trustee, saying that many Americans are involved in regards to the potential results of the chapter case on the privateness of their information. He stated the FTC believes that per federal chapter regulation, the corporate should preserve the guarantees spelled out in its present information privateness coverage.
But in the end, the destiny of the corporate’s shopper information will likely be decided by the chapter courtroom, which Sulkin stated will probably appoint an ombudsperson who’ll be, a minimum of in idea, accountable for defending the privateness rights of customers.
“But it doesn’t matter what, there will likely be a pressure between the chapter courtroom’s mission to guard as a lot worth as potential throughout the firm and on the identical time respect the privateness rights of people,” he stated.
One factor to regulate, Sulkin stated, are the potential 23andMe consumers, particularly in the event that they’re based mostly, or a minimum of partially based mostly, exterior the US. He pointed to the continuing controversy over TikTok, which lawmakers voted to ban final yr over considerations about its information assortment practices and ties to China.
The choose might select to reject a bid from a overseas firm due to related considerations, Sulkin stated.
And 23andMe notes that any potential sale would even be topic to approval by federal regulators and need to adjust to US antitrust rules and legal guidelines governing overseas funding in US corporations.
Time to delete?
Given the uncertainty that continues to swirl round the way forward for 23andMe, individuals anxious in regards to the privateness and safety of their information would possibly wish to delete their accounts and request that their information be destroyed sooner slightly than later.
That’s what Darren Williams, founder and CEO of cybersecurity firm BlackFog, selected to do. He additionally made certain his relations did the identical.
Though it is probably 23andMe’s data-sharing practices will not change anytime quickly, there’s all the time a chance that its shopper information might find yourself within the improper arms, whether or not that be via one other information breach or a sale to an organization that is not as cautious appropriately with shopper information.
“Unfortunately, we stay in a world now the place information exfiltration is the norm, not the exception,” Williams stated. “And as soon as that information has gone out onto the darkish internet and has really been taken, there is no approach to get that information again.”
It stays unclear what cybercriminals might do with that information in the event that they acquired their arms on it, he stated. Experts have lengthy fretted about what might occur if information associated to well being care have been stolen in a breach, however most on-line criminals stay financially motivated and, for essentially the most half, have but to discover a approach to earn money off medical data.
At the very least, the extra data attackers have about any given particular person, the larger profile they’ll construct of them, Williams stated, placing them vulnerable to socially engineered phishing and different on-line assaults.
While these worries are legitimate, Rose stated it is as much as the person consumer to weigh the dangers versus the rewards after which determine in the event that they wish to delete their account. Rose, additionally a longtime 23andMe consumer, stated he is within the technique of doing that himself proper now.
Regardless of how 23andMe’s case performs out, Rose stated he hopes it makes individuals a bit of bit extra conscious of how a lot of their private information is on the market, and prompts them to assume twice earlier than handing information over to corporations.
In Sulkin’s view, 23andMe customers who’re anxious about safety and privateness are finest off deleting and destroying as quickly as potential, simply given the uncertainty surrounding the case. But he additionally hopes individuals will likely be extra cautious with their private data.
“Just as a result of they’re offering their data to firm A in the present day doesn’t suggest that firm A will look the identical a yr from now, or two years from now or three years from now,” Sulkin stated. “And they have to be aware of that.”