[jacquesm]

Negligence is a perfectly valid reason for culpability and I see the fact that they offered a service with this kind of data to the general public without mandatory 2FA as negligent. If only because their users are more than likely to be unaware of the kinds of risks they are taking whereas 23andme knows exactly what kind of risk those users are taking: that's why they wanted their data in the first place.

In my opinion the real reason why they didn't mandate 2FA is very simple: it would have alerted users to the fact that what they were doing was significant and it would have been a point of friction in setting up the account. But all they wanted is the data, the rest was infotainment and a sideshow from the POV of 23andme. The words 'duty of care' probably mean absolutely nothing to them.

[michaeljx]

They could have mandated 2fa only at the point where they present the results.

[jacquesm]

No, they should have done it right from day #1 so that users (1) have confidence they are treating this with the seriousness that it requires, (2) to minimize the 'surprise' factor, (3) to ensure that also the users other data is properly protected. They also should have ensured HIPAA compliance for their US based customers and compliance with whatever local legislation was applicable for their customers elsewhere and to track any changes in that legislation. This includes full consent management, the option to withdraw consent at any point in time and to be able to deal with requests for removal of data, especially relevant given that the suppliers of the DNA material may later on have second thoughts about all this. Note that you don't just give DNA to a service like this on your own behalf but also on behalf of all of your siblings, descendants and ancestors.

Recognize the potential for actual damage before you decide to blame the victims here and then wonder why 23andme apparently did not recognized that potential. Also recognize that you can't exactly change your DNA, it is your identity.