Signs in 23andme headquarters in Sunnyvale, California, USA, on Wednesday, January 27, 2021.
David Paul Morris | Bloomberg | Getty pictures
DNA tests have become a valuable tool for hobbyists and beginner's genealogists. For some it is learning that you are Paul Revere's 10th cousin or the 15th big nephew, which was four times removed from the last king of Prussia, is worth sharing a DNA sample. But what happens if the company that reaps the DNA goes bankrupt?
This was the question that has been asked millions of Americans in the past week when 23Andme, the company that made consumer genetics popular and supported early on, announced bankruptcy, which led to a wave of calls for Americans to delete their DNA from the company's database.
It is not 100 percent clear whether the calls “delete your DNA calls” were guaranteed, but data protection experts are alerted and Americans who had carried out the genetic test have taken the advice to heart.
According to data from the online traffic analysis company in a similar web, 23Andme received an increase of 526% compared to the day before on March 24, the day of the insolvency announcement. According to similar web, 376,000 visits were made to help pages that are specifically related to deleting data, and 30,000 were carried out on the customer care page to close the account. The next day, this number rose to 1.7 million visits and rraffic to the “Delete data” page by 480,000.
Margaret Hu, Professor of Law and Director of the Digital Democracy Lab at the William & Mary Law School, believes that the Americans have taken the right step. “This development is a disaster for data protection,” said HU. In your opinion, the 23Ande bankruptcy should serve as a warning why the federal government needs strong data protection laws.
In some states, according to HU, the government plays an active role in advising consumers. The general prosecutor's office in California calls on the Californians to delete their data and destroy 23Ande saliva samples. But HU says this is not enough, and such instructions should be made available to all US citizens.
The potential effects of the national security of 23Andmes data that falls into the wrong hands are not new. In fact, the Pentagon had previously warned the military personnel that these DNA kits could be a risk of national security.
The DNA collected by consumers is also not a new problem for 23Ande. In 2023, almost 7 million people who carried out the genetic test were already exposed in a major 23Andme data violation. The company signed an agreement that included an agreement of over 30 million US dollars and a promise of security monitoring of three years.
But HU says that bankruptcy is now making the company and its data, especially vulnerable.
Pharmaceutical research and genetic test data
One of the things that can be noticed in the early years of the popularization of genetic tests in consumer -it was that the majority of users chose research purposes for the exchange of their DNA, up to 80% in the years in which 23Atme grew quickly. When the market for consumer sales of the popular DNA test kits previously reached than many expected, 23Andme focused more on research and development partnerships with pharmaceutical companies to diversify the income.
When 23Andme sells genetic data to other research companies, most are used to overall level, since millions of data points are analyzed as a whole. The company also strips out the identification of data from the genetic data, and there are no registration information (such as a name or e -mail). Data researchers need, such as the date of birth, separate from genetic data and with randomly assigned IDs.
HU is one of the affected experts who could change these practices under 23 and a new buyer. “In a time of financial vulnerability, companies such as pharmaceutical companies could see the opportunity to use the research advantages of the genetic data,” said HU, adding that they could try to negotiate previous contracts to extract more data from the company. “Will the next company buying 23Andme?” Hu said about his data protection guidelines.
In the past few days, 23Andme has announced that it will find a buyer who shares his data protection values.
23Andme did not answer a request for comment.
Anne Wojcicki, co-founder and CEO of 23Andme, presses the button and rings the Nasdaq opening bell from a distance in the headquarters of the DNA Tech Company 23andme in Sunnyvale, California, USA, on June 17, 2021.
Peter Dassilva | Reuters
Over the years since the foundation of 23 and in 2006, many customers were ready to send a swab to learn more about their family history. Elaine Brockhaus (70), who lived in Michigan, and her family were thrilled to learn more about their descent when they submitted samples of their DNA to 23Andme. But since the company is now concerned about insolvency and data protection experts about what is happening with the millions of people with stored DNA samples, says Brockhaus that the whole thing “caused a bit of a turmoil in my family”.
“We enjoyed some aspects of 23 & me,” said Brockhaus. “They continuously refined and updated our heir than more people joined and they were better able to determine genetically related groups,” said Brockhaus. She was able to learn more about health risk factors that were present in her past or not.
Now her family has closed the circle in the 23Andme experience: some members initially hesitated to participate, and now, says Brockhaus, everyone has deleted their accounts.
A unique company collapses, but everyday cyber risks
But Brockhaus continues to look at 23Ande in a larger market for consumer health in which the risks are not new, and health information is passed on in all possible environments in which security problems can occur. “Anyone who sends Cologne or receives medical results by post is the risk of exposure,” said Brockhaus. “Our identities can be stolen with a few key attacks. Of course, this does not mean that we should throw up our hands and agree to be victims, but unless we want to dig back and live in them, we have to be vigilant, proactive, but not in panic,” she added.
Jon Clay, Vice President of Threat Intelligence at the Cybersecurity company Trend Micro, says that consumers of 23 and 23Ande have to see bankruptcy as a threat. If the data is not transferred and guarded in the safest way in each sales process, “there is a risk of being used by malicious actors for a number of shameful purposes,” he said.
Clay believes that 23Andmes data for cybercriminals are incredibly valuable – not only because they are permanently and personally identifiable, but also because they can be exploited for identity theft, extortion or even medical fraud.
“Cybercriminal can use it to address consumers with convincing fraud and social engineering tactics, e.g.” Organizations that go bankrupt, should ensure that the security and privacy of the data of their customers is of crucial importance, and all data to exchange or sell data to others should not be done, “he added.
However, other experts say that the lesson of 23Ande is less about the collapse of the company and the threat to privacy, which serves as a memory of everyday cyber dangers in connection with personal data.
“When people talk about personal data, forget where your data is already,” says Rob Lee, head of research and faculty at the SANS Institute, who specializes in helping companies in information security and cyber problems. Regardless of whether it is a blood sample in a private laboratory or get rid of a laptop to upgrade to a new one, “your digital footprints are left out for people,” said Lee. “People don't understand the scope, so there is a bigger discussion out there, especially where data is going?”
With DNA information, there are certain basic legal factors that weigh people before they are disguised and send the sample.
According to Lynn Sessions, an expert in privacy and digital assets of the healthcare system and the partner of the law firm Bakerhostetler, the Federal Law, which applies to the privacy of patient information, hipaa, does not apply to this situation, and 23Andme is not considered a hipaaa-covered facility or business associate. However, there are state laws that apply to genetic information that is in the game, e.g. B. in California.
Meredith Schnur, managing director and cybersecurity manager at the insurance company Marsh, believes that the risk of the bankruptcy of 23Andme for people who have sent in their swabs is relatively low. “It does not cause any additional dismay or heartburn,” said Schnur. “I just don't think it opens an additional risk that does not yet exist,” she said, adding that the information of many people is already “out there”.
Last week Linda Avey, co -founder of 23Andme, blown up the company's management. “Without continued consumer-oriented product development and without governance, 23andme has lost its way, and society gave an important opportunity to promote the idea of personalized health,” Avey wrote in a social media post. “There are many warning stories in 23Andme history,” said Avey.
The bankruptcy itself is the problem that is now difficult for consumers to ignore, and until the sales process is complete, the questions remain.
“If you are bankrupt, the data protection values are not what you really think about. You think about selling your company to the highest bidder,” said HU. This highest bidder, says HU, could accept the genetic data and consumer profile data and connect them together if they are sold to others.
And this first sale that comprises the DNA of millions of people may be only the first of many transactions.
“It could sell it indiscriminately. And the buyer of this data could be a foreign opponent,” said Hu. “That is why this is not only a data protection disaster. It is also a national security disaster.”
Comments are closed.