A vast amount of sensitive consumer data is at risk with 23andMe auctioning off genetic information, biological DNA samples, health information, payment data and other personal information gathered from the roughly 15 million customers.
Gary Kibel, a Davis+Gilbert Privacy, Technology + Data Security partner, was quoted extensively in this Law360 article explaining that 23andMe’s push to sell its customers’ data would likely spark concerns under not only the terms of its privacy policy but also the requirements of the dozen-plus state privacy laws already on the books, which generally require opt-in consent to process sensitive personal information.
“23andMe’s data obviously falls within that sensitive category. So, if the data is transferred to a third party, a regulator could consider whether the initial disclosures and consents comply with such laws,” Gary states.
Gary also highlighted the heightened security risks during bankruptcy proceedings: “When a company is in dire straits, headcount is often reduced. Hopefully, that will not result in fewer personnel managing the information security systems of the company. In addition, hackers and other bad actors may seek to try and penetrate a company that may have let its guard down.”
For more insights on the data security risks posed by 23andMe, read the full Law360 article below.