Examples:

• • Mia, of Chinese heritage, was horrified to learn her 23andMe genetic data indicating elevated breast cancer risk based on BRCA mutations was now for sale to anyone on the dark web.
  • Andrew, an Ashkenazi Jew, couldn’t believe 23andMe allowed his family’s genetic data reflecting their ancestry to be hacked and publicized, making him feel exposed and vulnerable.
  • Carmen was furious 23andMe’s lax security practices led to criminals getting ahold of her raw genetic data and health predispositions that she considered highly private.
  • Joe, a 23andMe investor, watched in disbelief as the company’s stock tanked over 50% in the days after the breach, wiping out millions in shareholder value.
  • Reggie, an FTC investigator, was tasked with uncovering how 23andMe’s security measures failed so badly and whether it misled customers about data protections.

How It Affects You:

• • If you’re a 23andMe customer, your genetic data and personal info may have been compromised in the breach, exposing you to privacy violations and potential misuse of your sensitive data.
  • You may be a member of the class action lawsuits filed against 23andMe and eligible for compensation from the $30 million settlement fund.
  • You may want to take extra precautions to secure all accounts and monitor for signs of identity theft or fraud, as genetic data could be used as a biometric identifier.
  • Those with “anonymous” 23andMe profiles are still at risk, as genetic data itself can be used to re-identify people by cross-referencing with public databases.
  • As government agencies investigate 23andMe’s practices, additional regulatory action, penalties or mandated security changes may be forthcoming.

FAQs:

• • How do I know if my data was stolen in the 23andMe breach? 23andMe should have notified all impacted customers, but you can also contact their support channels to inquire about your data status.
  • What are the risks of my genetic data being exposed? Potential risks include genetic discrimination by insurers or employers, being re-identified even if your data was “anonymous,” and psychological distress from the privacy violation.
  • Can I trust 23andMe to keep my data secure going forward? 23andMe claims to be implementing robust security changes, but you have to decide your comfort level and if the service’s benefits outweigh the risks for you.
  • I want to delete my 23andMe data – how do I do that? 23andMe allows customers to delete their data, have their sample destroyed and close their account – visit the Privacy section of their website for instructions.
  • What if I’m not a 23andMe customer but my relative is? If your relative used 23andMe and opted into relative matching, some of your genetic data may be able to be inferred from theirs. Talk to your family about data sharing settings.

Examples:

• • The first class action against 23andMe was filed in the company’s home state of California just two days after the company announced the data breach.
  • A Florida class action alleged 23andMe “did not adequately safeguard users’ information, failed to timely notify users of the breach, and did not offer any remedy to Plaintiffs and Class Members.”
  • An Illinois suit claimed 23andMe violated the state’s Genetic Information Privacy Act, which allows statutory damages of $2500 per person for negligent violations and $10,000 for willful ones.
  • The many overlapping class actions created the need for an MDL to oversee and organize them, promote efficiency, and avoid inconsistent pre-trial rulings.
  • The appointed Lead Counsel have decades of experience successfully prosecuting complex consumer class actions and data breach cases.

Key Allegations Against 23andMe:

• • Inadequate Data Security – 23andMe failed to use reasonable safeguards to protect the sensitive personal genetic data with which it was entrusted.
  • Delayed Breach Notification – 23andMe waited too long to alert customers that their data was breached, preventing them from taking timely mitigating actions.
  • Misrepresentations About Security – 23andMe deceived customers about the strength of its data security practices, which were not as robust as promised.
  • Violations of State Laws – The breach violated many state data breach notification laws, consumer protection laws, and state genetic privacy acts.
  • Unjust Enrichment – 23andMe unjustly enriched itself and inflated its valuation by charging for services while failing to spend adequately on data security.

FAQs:

• • How do I know if I’m included in the class action lawsuits? The class actions aim to cover all U.S. 23andMe customers whose personal info was compromised in the breach, so if you fall in that category, you’re likely included.
  • Where can I review the class action complaints? Many are available on online legal databases like Justia or PACER – try searching “23andMe data breach class action complaint.”
  • What’s the difference between the various lawsuits? The specific named plaintiffs and state laws cited vary, but the core facts and allegations are very similar across the many suits.
  • How long will the litigation take? Class actions can take years to resolve, but filing them quickly helps preserve claims and improves settlement leverage. The consolidated MDL should promote pre-trial efficiency.
  • What do the lawsuits aim to achieve? The goals are to hold 23andMe accountable for the breach, compensate customers for losses and distress, and force 23andMe to robustly improve its data security.

Key Factors Impacting 23andMe’s Liability:

• • Nature of the Data Breached – Genetic data is extremely sensitive, immutable, and has long-term value, increasing the duty to safeguard it, potential for misuse, and harm from disclosure.
  • Representations About Data Security – 23andMe’s privacy policies and marketing touted “industry standard” security, which plaintiffs can argue were deceptive if not delivered.
  • Reasonableness of Security Measures – Forensic analysis will scrutinize whether 23andMe used data security on par with industry standards given the sensitivity of data collected and wealth of company.
  • Evidence Data Was Exfiltrated & Misused – Reports the stolen data surfaced on the dark web supports that 23andMe’s systems were compromised and increases liability exposure.
  • Timing of Breach Notifications – A key issue is whether 23andMe notified customers and regulators of the breach as promptly as required by state notification laws.

Potential Damages for 23andMe Customers:

• • Actual Losses from Identity Theft or Fraud – Customers who suffer financial losses from misuse of their breached data can seek reimbursement.
  • Statutory Damages Under State Laws – Some state genetic privacy and consumer protection laws allow statutory damages of $1-10K per violation without proof of actual losses.
  • Emotional Distress – Plaintiffs can pursue compensation for anxiety, stress and distress from the hack of their intimate genetic information.
  • Time and Effort Mitigating Breach – Customers may be able to recover for time spent monitoring accounts, fixing issues and purchasing protective services after the breach.
  • Benefit of the Bargain Losses – Plaintiffs can seek compensation for not receiving the full data security they paid for as part of 23andMe’s service.

FAQs:

• • Does 23andMe admit fault or liability for the data breach? Not yet – 23andMe’s statements express regret about the incident but don’t admit to specific legal wrongdoing. The complaints will test those issues.
  • Will 23andMe claim the hack was an unforeseen crime it couldn’t prevent? Likely yes, but plaintiffs will argue 23andMe had a heightened duty to safeguard DNA data and should have anticipated threats.
  • How might 23andMe try to avoid or limit liability? It may point to liability waivers in its Terms of Service, argue plaintiffs lack standing or provable damages, or claim compliance with applicable laws.
  • Will the lawsuits be hard to prove without a forensic investigation? Detailed forensics would help, but complaints can sufficiently allege violations based on 23andMe’s statements and facts known so far to start the case.
  • What if 23andMe files for bankruptcy – will that limit its liability? Bankruptcy could pause the lawsuits and cap 23andMe’s liability at its available assets, but plaintiffs would still share in those assets as creditors.

Key Non-Monetary Settlement Terms:

• • Mandatory Two-Factor Authentication – 23andMe commits to make 2FA mandatory on all customer accounts within 6 months.
  • Enhanced Security Monitoring – 23andMe agrees to undertake external cybersecurity audits annually for 3 years to identify and remediate any security gaps.
  • Improved Employee Training – 23andMe will implement comprehensive cybersecurity and privacy training for all personnel with access to sensitive customer data.
  • Option to Delete Data – 23andMe will email all Class Members instructions on how to request permanent deletion of their data and biological samples from 23andMe.
  • Restrictions on Data Retention – 23andMe will shorten its default data retention periods and purge inactive customers’ data sooner to limit exposure.

What to Expect Next:

• • Preliminary Approval Hearing – The parties have filed a joint motion asking Judge Chen to grant preliminary approval of the settlement, with a hearing set for October 17, 2024.
  • Class Member Notifications – If preliminary approval is granted, all Class Members will receive direct email/mail notice about the settlement and how to file claims or opt-out.
  • Claim Filing Process – Class Members will have 90 days to file online claims for the cash payments and monitoring services and provide any required documentation.
  • Objections & Opt-Outs – Class Members who wish to object to or opt out of the settlement will have 35 days to file objections with the Court or submit opt-out requests.
  • Final Approval Hearing – A final approval hearing will likely be set in Q2 2025 for the Court to consider any objections and decide whether to grant final approval of the deal.

FAQs:

• • Who is eligible for benefits under the 23andMe settlement? The Class includes all U.S. 23andMe customers whose personal info was compromised in the breach announced in Oct. 2023.
  • How much money will Class Members likely receive? It depends on how many people file valid claims, but most Class Members can expect ~$100, with extra for those with documented losses or in certain states.
  • Is the settlement a good deal for consumers? The $30M fund, free monitoring, and security commitments represent a strong recovery given the challenges of proving harm from the breach.
  • Why would 23andMe settle instead of fight the lawsuits? Settlement avoids the risks and costs of drawn-out litigation, caps liability via the release, and allows 23andMe to move forward.
  • What happens if the Court rejects the settlement? If the deal is not approved, the parties would either renegotiate the terms to address the Court’s concerns or resume active litigation.

Questions: 23andMe Data Breach 101

• • 1. How many 23andMe customers had their genetic and personal data exposed in the 2023 breach?
    • A) 640,000
    • B) 6,400,000
    • C) 64,000
    • D) 640
  • 2. Which groups did hackers appear to target in collecting breached genetic data?
    • A) People of Chinese descent
    • B) People of Ashkenazi Jewish descent
    • C) Both A and B
    • D) Neither A nor B
  • 3. What sensitive health information was compromised for some customers?
    • A) Health predisposition reports
    • B) Carrier status reports
    • C) Wellness reports
    • D) All of the above
  • 4. Where did the hackers post the stolen 23andMe customer data for sale?
    • A) The dark web
    • B) Facebook Marketplace
    • C) eBay
    • D) Amazon
  • 5. What happened to 23andMe’s stock price immediately following announcement of the data breach?
    • A) Rose 10%
    • B) Stayed the same
    • C) Fell over 50%
    • D) Was delisted from NASDAQ

Answers: 23andMe Data Breach 101

• • 1. B) 23andMe reported that approximately 6.4 million customers’ data was compromised in the breach.
  • 2. C) Analyses found the stolen dataset for sale contained info on over 1 million 23andMe users of Ashkenazi Jewish descent and over 300,000 of Chinese heritage.
  • 3. D) For some customers, the breach exposed sensitive health predisposition, wellness, and carrier status genetic reports.
  • 4. A) The hackers put the 23andMe customer data up for sale on the dark web, an anonymous part of the internet often used for illegal activity.
  • 5. C) 23andMe’s stock price plummeted over 50% in the days immediately following its announcement of the customer data breach.

Questions: Legal Issues & Settlement Basics

• • 1. How many class action lawsuits were filed against 23andMe relating to the data breach?
    • A) Over 10
    • B) Over 20
    • C) Over 30
    • D) Over 40
  • 2. What did the lawsuits generally allege 23andMe did wrong related to the data breach?
    • A) Failed to adequately safeguard customers’ personal data
    • B) Misrepresented its data security practices to customers
    • C) Violated data breach notice and consumer protection laws
    • D) All of the above
  • 3. What amount has 23andMe agreed to pay to settle the consolidated class actions?
    • A) $3 million
    • B) $13 million
    • C) $23 million
    • D) $30 million
  • 4. What is the maximum documented loss reimbursement amount available under the settlement?
    • A) $100
    • B) $1,000
    • C) $10,000
    • D) Unlimited
  • 5. How many years of free credit monitoring and ID theft protection does the settlement provide class members?
    • A) 1 year
    • B) 2 years
    • C) 3 years
    • D) 5 years

Answers: Legal Issues & Settlement Basics

• • 1. D) After the breach announcement, over 40 proposed class actions were filed against 23andMe in federal and state courts nationwide.
  • 2. D) The lawsuits accused 23andMe of failing to secure data, misleading customers about its practices, and violating data privacy and consumer laws.
  • 3. D) 23andMe has agreed to a $30 million non-reversionary settlement fund to resolve the consolidated class action litigation.
  • 4. C) The settlement allows class members to claim reimbursement of up to $10,000 for documented out-of-pocket losses related to the data breach.
  • 5. C) All settlement class members are eligible for 3 years of free credit monitoring and identity theft protection services.

Disclaimer

Class action settlement terms are subject to change and court approval. eligibility for benefits depends on factors unique to each class member’s situation. Please consult the official settlement website and/or an attorney for the most up-to-date information and to understand your specific rights.

If you believe your data may have been compromised in the 23andMe breach or have questions about participating in the settlement, please contact a qualified attorney.