23andMe made a name for itself by selling at-home, mail-in DNA testing kits that gave ordinary people a look at their possible ancestry as well as genetic markers that could point to potential medical problems down the road.
People bought into the idea and bought the kits. The company made a lot of money, and its value reached as high as $6 billion when it went public in 2021. But eventually demand faded and so did 23andMe’s profits. Its value had dropped to about $50 million last week. The company also suffered a massive data breach in 2023, adding to its mounting costs and destroying trust in its data security practices. Late last year, it said it would lay off 40% of its workforce.
So it wasn’t a big surprise that after the failure of a last-ditch bid by the CEO to take the company private, 23andMe ultimately filed for Chapter 11 bankruptcy protection in late March, saying it hopes the move will help it shed more costs and bring about the sale of the company.
Now the possibility of a sale supervised by a bankruptcy court has data privacy experts worried. From a financial standpoint, 23andMe’s collection of millions of genetic samples and reports is easily its biggest asset. But for the company’s customers, it’s some of their most private and personal information.
In announcing the bankruptcy filing, Mark Jensen, chair of the special committee of 23andMe’s board of directors, said the company “remains committed to continuing to safeguard customer data and being transparent about the management of user data going forward.”
He added that “data privacy will be an important consideration in any potential transaction.”
But it’s unclear how much control 23andMe will have over who, if anyone, buys the company and what they choose to do with its treasure trove of consumer data. In a Chapter 11 sale, it’s the judge overseeing the case, and not the company itself, who has the final say over who the buyer is.
“The problem we’re having at this exact moment is that we have more questions than answers, Aaron Rose, a security architect with Check Point Software, said Monday.
Rose noted that while consumers seemed to shrug off the company’s 2023 data breach, which resulted in the compromise of the personal information of about half the company’s 14 million users at that time, the filling appears to have been a needed wake-up call.
“People didn’t take [the breach] that seriously,” Rose said. “Now we have a situation where we don’t know who is going to assume ownership of this data.”
Worries about data security
The thought of unknown ownership has many consumers justifiably nervous, Rose said. And it has some data privacy experts advising them to delete their 23andMe accounts and request that their samples and other data be destroyed.
Ryan Sulkin, a partner at the law firm Benesch and leader of its data protection practice group, said that in a lot of ways the case is unprecedented. Though hospitals and health insurance companies have been through the Chapter 11 process, 23andMe’s case could be a first, considering the massive amounts of biometric and genetic data involved.
In general, Sulkin said, when companies are sold, peoples’ data remains protected by the privacy policy in place when that data was collected.
But at the same time, there’s no comprehensive federal privacy law in place in the US that would protect the 23andMe data. Laws like the Health Insurance Portability and Accountability Act, or HIPAA, don’t apply in this case, he said, because though 23andMe’s data may seem medically oriented, it isn’t health care data as defined by that law.
Users who live in one of the about 20 states that have passed their own data privacy laws may have some protections, Sulkin said. And he correctly predicted that the Federal Trade Commission could take an interest in the case and make it known that it wants consumers’ data protected.
FTC Chairman Andrew Ferguson on Monday issued a letter to the U.S. Trustee, saying that many Americans are concerned about the potential effects of the bankruptcy case on the privacy of their data. He said the FTC believes that consistent with federal bankruptcy law, the company must keep the promises spelled out in its current data privacy policy.
But ultimately, the fate of the company’s consumer data will be determined by the bankruptcy court, which Sulkin said will likely appoint an ombudsperson who’ll be, at least in theory, accountable for protecting the privacy rights of consumers.
“But no matter what, there will be a tension between the bankruptcy court’s mission to protect as much value as possible within the company and at the same time respect the privacy rights of individuals,” he said.
One thing to keep an eye on, Sulkin said, are the potential 23andMe buyers, especially if they’re based, or at least partially based, outside the US. He pointed to the ongoing controversy over TikTok, which lawmakers voted to ban last year over concerns about its data collection practices and ties to China.
The judge could choose to reject a bid from a foreign company because of similar concerns, Sulkin said.
And 23andMe notes that any potential sale would also be subject to approval by federal regulators and have to comply with US antitrust regulations and laws governing foreign investment in US companies.
Time to delete?
Given the uncertainty that continues to swirl around the future of 23andMe, people worried about the privacy and security of their data might want to delete their accounts and request that their data be destroyed sooner rather than later.
That’s what Darren Williams, founder and CEO of cybersecurity company BlackFog, chose to do. He also made sure his family members did the same.
Though it’s likely 23andMe’s data-sharing practices won’t change anytime soon, there’s always a possibility that its consumer data could end up in the wrong hands, whether that be through another data breach or a sale to a company that isn’t as careful as it should be with consumer data.
“Unfortunately, we live in a world now where data exfiltration is the norm, not the exception,” Williams said. “And once that data has gone out onto the dark web and has actually been taken, there’s no way to get that data back.”
It remains unclear what cybercriminals could do with that data if they got their hands on it, he said. Experts have long fretted about what could happen if data related to health care were stolen in a breach, but most online criminals remain financially motivated and, for the most part, have yet to find a way to make money off medical information.
At the very least, the more information attackers have about any given person, the bigger profile they can build of them, Williams said, putting them at risk of socially engineered phishing and other online attacks.
While those worries are valid, Rose said it’s up to the individual user to weigh the risks versus the rewards and then decide if they want to delete their account. Rose, also a longtime 23andMe user, said he’s in the process of doing that himself right now.
Regardless of how 23andMe’s case plays out, Rose said he hopes it makes people a little bit more aware of how much of their personal data is out there, and prompts them to think twice before handing data over to companies.
In Sulkin’s view, 23andMe users who are worried about security and privacy are best off deleting and destroying as soon as possible, just given the uncertainty surrounding the case. But he also hopes people will be more cautious with their personal information.
“Just because they’re providing their information to company A today doesn’t mean that company A will look the same a year from now, or two years from now or three years from now,” Sulkin said. “And they need to be mindful of that.”
Read the full article here