What Does Data Privacy Really Entail?

23andMe, a prominent genetics testing company, has recently filed for Chapter 11 bankruptcy protection and intends to seek a buyer for the business. This development raises critical concerns about the security and privacy of the health and ancestry data amassed from millions of customers. With assets estimated at $277.42 million against liabilities of $214.7 million, the company’s financial situation is precarious, prompting discussions around the future handling of sensitive consumer data.

In its bankruptcy filing, 23andMe indicated its desire to liquidate a significant portion of its assets, pending court approval. The potential sale process may involve competitive bidding facilitated by an independent investment banker over a 45-day period. Buyers of the business will be required to adhere to existing regulations concerning customer data management, including compliance with the Hart-Scott-Rodino Act, which governs antitrust laws, and oversight from the Committee on Foreign Investment in the United States.

Amid these developments, privacy experts have expressed apprehension regarding the safeguarding of consumer data during this transition. David Holtzman, a privacy attorney, highlighted the contradictory pressures of maintaining data privacy versus addressing the operational demands associated with bankruptcy. There are concerns that customer data could be transferred to a new owner who may repurpose the information in ways not originally intended.

In response to the bankruptcy announcement, California Attorney General Rob Bonta has issued an alert urging state residents to exercise their rights under the Genetic Information Privacy Act, which allows consumers to request the deletion of their genetic information held by 23andMe. Instructions have been provided for how customers can delete their data and request the destruction of saliva samples. Bonta’s warning poignantly reflects the need for consumers to proactively protect their information, especially given the uncertainties surrounding 23andMe’s financial stability.

It is important to note that while some states offer similar rights to consumers, others do not. Nonetheless, 23andMe’s online privacy policy appears to extend deletion rights to all consumers, irrespective of their state of residence. This proactive approach may stem from previous data security challenges the company has faced, including a credential-stuffing incident that exposed sensitive information of approximately 14,000 users, raising alarms over the adequacy of its data security measures.

The implications of this bankruptcy extend beyond immediate financial concerns, touching upon vital questions of data ownership and privacy in an evolving cybersecurity landscape. Consumers who provided genetic data to 23andMe might consider the long-term ramifications of their choices as the company navigates its future. Given the value of genetic data to potential data brokers and insurers, the stakes are high for those who have entrusted their sensitive information to the company.

Moving forward, the MITRE ATT&CK Matrix provides useful context for understanding the tactics and techniques that could be relevant in this scenario, particularly in terms of initial access, persistence, and information gathering. While 23andMe has committed to upholding privacy standards during the bankruptcy and potential sale, it remains to be seen how effective these measures will be in ensuring consumer confidence post-transition. As the technology evolves and stakes grow higher, adherence to established privacy frameworks will be paramount in preserving consumer trust in the data economy.