even if there's no financial compensation for the victims, it makes sense to make an example out of a company that doesn't actually take data privacy and security seriously.
It would be dangerous precedent though. assuming they have a reasonable password policy it seems the breach was in no way related to a failure by 23 and me.
sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.
if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?
I think it's more a question of encrypting data on the backend. The data wasn't stolen by phishing 16 million individual users' passwords. Companies that deal with sensitive genetic data should be subject to the same level of HIPAA compliance as those that deal with medical data, for instance.
I don't actually know. But if a user wanted to share personal data with another user, I'd make a one-time key. I'm relatively certain that they took no precautions against someone with access to their database. In some scenarios for tiny companies that might be okay, if you don't store sensitive data; but not when it might get whole groups of people slaughtered based on their genetic profile.
Ugh. I'm so divorced from social media, I didn't even consider the marketing use case for "share your genetic data with your friends"... I wonder if this hack was just someone scraping an API for that (?!!)
It's gross. On a side note, when I asked my father (an educated man in his 80s with a law degree) why he put our genetic information online without asking us, his response was that he didn't put it online, he mailed it, and it was just his own. I only say this to illustrate that the entire setup here resembled a con game to collect genetic data from unwitting people - which if they represented only 25% of the population would be enough to let you deduce the rest. The abhorrent fact that the was handled so flippantly is just icing on the cake.
The allegation is that they weren't taking reasonable steps to safeguard customer data under California law, the problem is that it's not stated what reasonable is. What's needed here are clearer regulations.
Common sense tells you that if you set up a service for the gullible to send you their DNA that none of your customers are going to be security and privacy conscious. You need to engineer your service accordingly.
they even offer 2 factor https://customercare.23andme.com/hc/en-us/articles/360034119...
sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.
if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?