23andMe 'Redirected Blame' to Cybercriminals After Oct. Data Breach: Class Action
23andMe disregarded users’ rights by negligently failing to implement “adequate and reasonable measures” to ensure their personally identifiable information (PII) was safeguarded during an October data breach, alleged a class action (docket 3:24-cv-01662) Monday in U.S. District Court for Northern California in San Francisco. The Oct. 6 data breach affected 6.9 million individuals.
Plaintiff Tyrell Brown, of Lisle, Illinois, alleges 23andMe attempted to “redirect the blame on to the criminal actors” that hacked 23andMe’s customer accounts in its October data breach notice and “avoided mentioning” its safeguards were “inadequate,” the complaint said. Its second notice “discussed the safeguards” but didn’t note the “inadequacies” that allowed the breach to occur, it said.
23andMe didn’t state if it was able to contain or end the cybersecurity threat, “leaving victims to fear whether the PII” 23andMe continues to maintain is secure, the complaint said. The genetic testing company also failed to state how the breach occurred, information that’s “vital to victims of a data breach,” due to the sensitivity and “wide array of information” involved, it said.
Brown was injured in the form of lost time dealing with the consequences of the breach, including verifying the legitimacy and impact; exploring credit monitoring and identity theft insurance options; monitoring his accounts with “heightened scrutiny”; and seeking legal counsel, the complaint said. Brown and class members have suffered “imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from their PII, in combination with their name, being placed in the hands of unauthorized third parties/criminals,” it said.
23andMe’s negligence in protecting customers’ PII is “exacerbated by repeated warnings and alerts” concerning securing sensitive data in light of the “trending data breach attacks in recent years,” the complaint said. Despite the prevalence of public announcements of data security compromises, 23andMe failed to take appropriate steps to protect Brown’s and class members’ PII, it said.
Brown asserts 23andMe violated the Illinois Genetic Information Privacy Act and is guilty of negligence. He requests actual, nominal and consequential damages; prejudgment interest; attorneys’ fees and costs; and orders requiring 23andMe to cease its unlawful activities, to encrypt all data collected in the course of business, and to implement a comprehensive information security program.