The allegation is that they weren't taking reasonable steps to safeguard customer data under California law, the problem is that it's not stated what reasonable is. What's needed here are clearer regulations.
Common sense tells you that if you set up a service for the gullible to send you their DNA that none of your customers are going to be security and privacy conscious. You need to engineer your service accordingly.