23andMe Failed to Implement Basic Data Security Practices: Class Action
Biotechnology company 23andMe failed to state in a notice of a data breach whether it successfully contained or ended the cybersecurity threat, said a class action (docket 3:23-cv-05565) Friday in U.S. District Court for Northern California in San Francisco. The company, which maps individual genomes of customers to create reports on subjects’ ancestry and genetic health risks, also fails to state how the breach occurred, the complaint said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Nicholas Furia of Minneapolis has been a 23andMe customer since 2018 and trusted his personally identifiable information (PII) and personal health information (PHI) to the company, the complaint said. 23andMe “failed to properly implement basic data security practices,” said the complaint. Furia would not have trusted the company with his PII if he knew it would “fail to implement industry standard protections for it,” it said.
23andMe’s news release said compromised data included names, sex, date of birth, genetic ancestry results, profile photos, geographical location and other information, said the complaint. It encouraged customers to confirm they have “strong passwords” and to use multifactor authentication, acknowledging plaintiff and class members “are subject to an imminent threat of fraud and identity theft,” said the complaint. Due to its “inadequate security measures,” 23andMe’s customers face a present and ongoing risk of fraud and identity theft “and must deal with that threat forever,” it said: “Once PII is stolen, the threat of fraudulent use of victims from that information’s disclosure continues for years."
23andMe had the resources necessary to prevent the data breach but “neglected to adequately invest in security measures, despite its obligation to protect Customers’ PII,” said the complaint. It therefore breached its common law, statutory and other duties owed to Furia and class members, it said.
The FTC’s cybersecurity guidelines for businesses advises them to protect the PII they acquire; “properly dispose of personal information that is no longer needed; encrypt information stored on computer networks; understand their network’s vulnerabilities; and implement policies to correct any security problems,” said the complaint. FTC guidelines also recommend an intrusion detection system to expose a breach “as soon as it occurs,” to monitor network activity indicating hacking attempts, “watch for high volume data transmissions” and have a “prepared response plan in the event of a breach,” it said.
Medical identity theft victims may have their records falsified through improper billing activity, said the complaint, and they may accrue “significant bills for medical goods and services neither sought nor received.” They could have long-term credit issues based on problems with debt collectors reporting debt due to identity theft, it said. Identity theft victims have been “falsely accused of being drug users" based on falsified entries to their medical files; “had their children removed from them due to medical activities of the imposter; and victims have been denied jobs due to incorrect information placed in their health files,” the complaint said.
Time lags between the theft of PII, when it is used and when a person discovers its use, create problems for identity theft victims, the complaint said. On average it takes about three months for consumers to discover their identity has been stolen and used, “but it takes some individuals up to three years to learn that information,” it said.
As a result of the data breach, Furia suffered diminished value of his PII, lost time, invasion of privacy, loss of benefit of the bargain and continued risk to his PII, the complaint said. His PII remains unencrypted and “available for unauthorized third parties to access and abuse,” it said. It remains subject to further “unauthorized disclosures” as long as 23andMe fails to take adequate measures to protect it, it said.
Furia asserts claims of negligence, breach of implied contract, invasion of privacy and unjust enrichment. He seeks orders requiring 23andMe to maintain reasonable security measures, including creating firewalls and access controls so that if one area is compromised, hackers can’t access other portions of its systems. He also requests an order requiring 23andMe to purchase credit monitoring services for him and class members for 10 years and and to educate them about threats they face as a result of the loss of their PII and PHI.
Furia also seeks equitable relief enjoining 23andMe from engaging in wrongful conduct described; disgorgement of revenues wrongfully retained as a result of the breach; awards of actual, compensatory, statutory and punitive damages, pre- and post-judgment interest and attorneys’ fees. 23andMe didn't comment Monday.