23andMe Modifies User Agreement to Mitigate Data Breach Lawsuit Risks

Genetic testing provider 23andMe is currently facing multiple legal challenges following an October credential stuffing attack that resulted in the compromise of customer data. In response to these incidents, the company has made modifications to its Terms of Use, aiming to establish a more challenging environment for legal actions against the company.

During the October attack, a threat actor attempted to sell 23andMe customer data. When unsuccessful, the perpetrator leaked data from 1 million Ashkenazi Jews and 4.1 million individuals residing in the United Kingdom. According to 23andMe’s statement, the breach occurred through credential stuffing attacks targeting customer accounts. Using a limited number of compromised accounts, the threat actors exploited the ‘DNA Relatives‘ feature to scrape data from millions of individuals.

In a recent announcement, 23andMe disclosed that a comprehensive 6.9 million individuals were affected by the security breach, with 5.5 million impacted through the DNA Relatives feature and an additional 1.4 million through the Family Tree feature.

Facing legal repercussions, 23andMe took steps to safeguard itself by amending its Terms of Use on November 30th. The updated terms now include a provision mandating arbitration for dispute resolution, as opposed to jury trials or class action lawsuits.

The revised Terms of Use state, “The terms of service incorporate a compulsory dispute resolution provision mandating the use of arbitration on an individual basis to address disputes under specific circumstances, as opposed to resorting to jury trials or class action lawsuits.”

Customers were notified of this change via email, and they were given a 30-day window to express disagreement with the new terms by contacting 23andMe at customercare@23andme.com. Users who contested the update would remain subject to the previous Terms of Service.

Despite these measures, legal experts, such as Nancy Kim, a professor at Chicago-Kent College of Law, cast doubt on the effectiveness of this modification in protecting 23andMe from lawsuits. Kim suggested that proving reasonable notice for opting out of the new terms might pose a challenge for the company.