Data Privacy,
Data Security,
Healthcare
FTC Asserts 23andMe’s Privacy Obligations Must Be Honored Amid Bankruptcy
The Federal Trade Commission (FTC) has issued a communication to the bankruptcy trustees of 23andMe, emphasizing that any prospective sale of the genetic testing company or its assets must adhere to its established commitments regarding consumer data privacy and security. These commitments entail the safeguarding of sensitive individual information and biological samples collected from consumers.
In his correspondence to the U.S. trustees overseeing the administration of 23andMe’s Chapter 11 bankruptcy, FTC Chairman Andrew Ferguson articulated the agency’s significant “interests and concerns” tied to the potential divestiture involving the sensitive personal information of millions of American consumers.
23andMe underwent a Chapter 11 filing on March 23 in a federal court in Missouri. The bankruptcy raises pivotal questions about consumer data privacy as the company has built a business around collecting intimate genetic and health information through its testing services.
Chairman Ferguson noted the unique sensitivity surrounding the data amassed by 23andMe, which includes genetic profiles, health records, contact details, and correspondence exchanged among users through the platform. The data management practices of 23andMe underscore the gravity of their privacy pledges, including assurances against sharing personal information with third parties without a valid legal order.
In addition to its privacy statements, 23andMe assures users that it restricts the sharing of their information to only those instances necessary for service delivery and that it partners with a limited number of service providers contractually obligated to maintain strict confidentiality.
Moreover, the company’s medical record privacy notice stipulates that genetic information will not be disclosed to third parties without explicit consumer consent, thereby adding another layer of protection for individuals’ data within the medical context.
Importantly, 23andMe’s privacy terms state that in the event of bankruptcy or similar corporate changes, consumer data may be accessed or sold; however, these terms remain applicable to the transferred data, thereby maintaining user assurances.
Chairman Ferguson emphasized that any sale tied to the bankruptcy proceedings should uphold the promises made to users about their privacy and security, aligning with Section 363(b)(1) of the Bankruptcy Code. He reiterated that any purchaser must commit to the terms of 23andMe’s privacy policies, ensuring continuity in the protection of consumer information.
Responses from both 23andMe and the bankruptcy trustees regarding the FTC’s assertions were not immediately available at the time of reporting. This scenario raises heightened awareness in the business community regarding consumer data practices and the implications of corporate transitions on privacy commitments.
Data Breach Context
Following the company’s prior breach incidents, 23andMe is actively providing consumers the option to erase their stored data and retract consents regarding the use of their data for research. A significant challenge arose in October 2023 when the firm acknowledged a credential-stuffing attack targeting the accounts of users who opted into the DNA Relatives feature. While the company reported the breach affected around 14,000 accounts, malicious actors claimed to have extracted considerably more sensitive information.
The company has since reached proposed settlements in relation to class action lawsuits stemming from this incident, highlighting ongoing vulnerabilities in consumer data protection within genetic testing services. As such, understanding possible adversary tactics from frameworks like MITRE ATT&CK can frame discussions around initial access and privilege escalation strategies that may have facilitated these breaches.
