GRC Complications for 23andMe

The news that troubled DNA testing company 23andMe has filed for Chapter 11 bankruptcy protection, while it searches for a buyer for the business and its assets, has profound privacy implications. 

The company’s entire board of independent directors resigned in October last year, after rejecting her offer to take the company private. Around the same time hackers stole the personal data of 6.9 million 23andMe customers, about half its customer base. The data, which was offered for sale on a hacking forum, included names, birthdates, location, DNA details, and relationships to other users on the platform.

23andMe gathers some of the most sensitive PII that an individual can share — a map of their DNA, which in turn can indicate their likelihood of contracting specific health conditions.  

California Attorney General Rob Bonta is just the most high profile advocate urging 23andMe customers to delete their data from the platform, using their rights under the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA), and has gone as far as providing explicit step-by-step instructions on how to request deletion. Users of 23andMe are not protected by HIPAA because even though they are receiving a quasi-medical service, they are customers rather than patients. 

Not only is 23andMe storing highly sensitive data, its processing of that data is complex as based on similarities in DNA it highlights relationships between users that may not have been aware of them. Over 80% of 23andMe customers also consent to take part in 23andMe’s research programs, which involves sharing customer data with third party service providers and contractors. However, the company has repeatedly stated that it does not share data with public databases, insurance companies, employers, or law enforcement (unless it receives a valid court order, subpoena, or search warrant).  

The company’s end user privacy agreement specifically covers what happens in the event of a bankruptcy and/or sale of assets, suggesting that the privacy statement will still apply and transfer to the new owner. An article published in the New England Journal of Medicine earlier this year cautioned that while the privacy rights would transfer the new entity could “create new terms of service”. 

23andMe now faces a potential tsunami of consumers exercising their DSR rights to understand what data the Californian firm holds on them and requesting deletion of that data. Without automated processes in place 23andMe could buckle under the pressure of complying with those requests. Not only is the data extremely sensitive, connections have been made between users (a vector that was apparently exploited by the hackers last year), and for the over 80% of customers who agreed to take part in research, that data now also exists on third party systems. 

While 23andMe is clearly an extreme example, Ethyca works with some of the most privacy-focused organizations in the world, where personal data flows through complex, interconnected systems. Responding to DSRs in these environments is far from trivial and is not just a case of deleting data. Our privacy-as-code approach provides our customers with deep insights into where personal data resides and allows us to support companies in the event of an incident that drives a very high volume of requests to delete data.