What happens when a company loses a large amount of user data? Often, they apologize and shyly ask for forgiveness. Not so with 23andMe.Popular genomics company suffers Pretty scary data leak Last year, the company chose to tell angry customers that if they didn’t want to increase their data, they should probably choose better passwords.
To be clear, 23andMe is currently being sued, or more accurately, legally attacked, by a number of people due to the large number of user accounts that were compromised by cybercriminals last year. News of the leak first broke in October, when customer data was posted for sale on the dark web. At the time, 23andMe told the public: Only about 14,000 accounts has been leaked. However, later investigations revealed that the actual number of people affected may have been around 6.9 million due to internal data-sharing capabilities associated with these accounts.
So, yes, people are naturally angry and therefore trying to sue genomics companies. The key word here is “try,” as large-scale litigation, such as a class action lawsuit, would be difficult to pull off due to some controversial content included in 23andMe’s terms of service agreement. Instead, the company’s terms of service stipulate that users must give up the chance to sue the company and instead attempt “forced arbitration.” alternative legal avenues experts think Heavy Good for business.Still, there are some class action lawsuits Already filed Targeting the company was an apparent attempt to overturn the company’s original agreement.
Interestingly, 23andMe not only chose not to appear in court, but also appeared to deny that it was the primary wrongdoer in the data breach. Case in point: Wednesday, TechCrunch report The genomics company sent a letter to the law firm of Tycko & Zavareei LLP, the firm handling the lawsuit against the company, which appeared to deny wrongdoing and in some cases pointed the finger at affected customers.this letterIn a letter sent to the law firm’s office, it read:
“…users negligently recycled and failed to update passwords following these past security incidents, which were unrelated to 23andMe…Accordingly, this incident was not the result of 23andMe’s alleged failure to maintain reasonable security measures…”
In other words, 23andMe seems to be saying that the whole data disaster isn’t actually its fault. This is consistent with the company’s previous claims that the real culprit in the entire incident was poor account security, while its own systems were never breached by criminals. Critics point out, however, that 23andMe should probably require users to use multi-factor authentication — an industry-standard security practice that it failed to adhere to before the leak. The company only instituted mandatory 2FA after user data was stolen.
In response to 23andMe’s letter, attorney Hassan Zavareei told Gizmodo, “23andMe disclaims all responsibility for this breach and shamelessly blames its customers for the breach on the grounds that the data was obtained through other The website recycles login credentials for customer accounts that were stolen.”
Zavareei also noted during the phone conversation that 23andMe recently updated its terms of service to make the arbitration process more onerous and difficult to navigate.other Legal experts agree The company’s recent contract changes make it harder for affected users to band together and seek “massive arbitration,” a process more akin to a class action lawsuit and therefore more advantageous and convenient for victims.
Is there a way around the arbitration clause? Zavare said there are hypothetical situations where victims could resort to traditional litigation.
“them [23andMe] It is possible to waive arbitration and simply agree to litigate in court without invoking the arbitration clause,” Zavare said. “We don’t have any indication of their intentions. If they just want to resolve it all at once rather than going through thousands of arbitrations, they can do that [cases]”. The lawyer also said that plaintiffs in these cases could “challenge the arbitration clause and claim that it is unenforceable.”there are many [legal] Arguments that could have rendered the provision unenforceable and unreasonable. “
In other words, 23andMe might decide to pursue a more traditional litigation process if it believes it would be simpler than dealing with piles of individual arbitrations. Alternatively, suppose affected customers could challenge the company’s arbitration clause. That said, neither possibility seems likely.
Gizmodo reached out to 23andMe for comment but did not receive a response. We will update this story if there is a response.