23andMe’s bankruptcy is making constant headlines. A while back Regeneron Pharmaceuticals bought genomics firm 23andMe for $256 million, after a court-supervised sale [source]. Despite the company’s promise of ethical use for customer DNA data, tensions are still ongoing.
This is an important moment for genetic privacy. Consumer genetic data is at risk. With over 15 million customers’ genetic profiles at stake, this case has revealed systemic gaps in both cybersecurity practices and regulatory frameworks governing genetic information, or should we say, lack of said practices.
Important facts until now
Neil Richards, appointed by the US Trustee Program, concluded in a report that 23andMe might be violating its own privacy policies through data sales. He learned that customers prior to June 2022 did not consent to data transfer in bankruptcy; locating relevant clauses demands navigating 3,306 words of dense legal text. [source]
The FTC warned purchasers to honor existing privacy commitments. Over 28 state attorneys general sued to stop data sales without consent. Canadian and UK regulators stated their data protection laws still apply. [source]
23andMe’s cybersecurity posture
What we understand about the company’s unique challenge is regarding genetic data processing. Therefore, the company must maintain multiple ISO standards at the same time (27001, 27018 and 27701). This gives us a good idea of the company’s security posture, but only in theory, because as we already found out from last year the data leak of over 7 million customers, gaps were still found and exploited. As always, we should take with a grain of salt, because companies overstate their security posture while hackers overstate their breach findings.
Further analysis in progress
In a future article I will continue with an industry analysis surrounding the genome and data conformity, threat landscape and attack vectors in this domain while keeping an eye on privacy and compliance challenges.
Photo: Photo by CDC on Unsplash.
