[gruez]

If you prominently advertised that you don't retain data, but it turned out that you did and it got leaked, that's a straightforward case of fraud. Given that the services would be advertised over the internet, it probably counts as wire fraud which means the feds would get involved. On the other hand if they had permission to keep your data and they got hacked, it becomes a messy tort case where the plaintiffs has to prove that the company didn't try hard enough to secure the data. In other words, the point isn't to guarantee that your data won't be leaked/hacked, it's to make it straightforward to go after you if you decide to lie.

This is why I won't use any genome sequencing service that has a bunch of ancillary services attached (eg. analyzing your ancestry, or figuring out what diseases you're at risk for), and you have to request deletion of data. The fact they provide such services means that your data is getting automatically uploaded to the cloud, probably resulting in multiple copies to different systems/databases/vendors. Even though you can theoretically request deletion, all those copies means there's a non-negligible chance that there's a copy lying around in a decommissioned s3 bucket that they didn't delete. If they service promises sample -> sequencing machine -> lab computer -> [PGP encrypted email/mailed CD], that cuts the risk considerably.