'Tricky at best, pointless at worst'; ICO fines 23andMe

The UK Information Commissioner has raised more than a few eyebrows after trying to make a bold statement by fining genetic testing company 23andMe £2.31m for security failings, even though the company has already gone bust.

The move follows a joint investigation by the ICO and the Office of the Privacy Commissioner of Canada that revealed the firm had failed to protect the personal information of more than 150,000 UK residents after a large-scale cyber-attack in 2023.

Family trees, health reports, names and postcodes were among the sensitive data hacked from the California-based company. It only confirmed the breach months after the attack started and once an employee saw the stolen data advertised for sale on the social media platform Reddit.

Information Commissioner John Edwards branded the months-long incident across the summer of 2023 a “profoundly damaging breach”. In total, the data of 7 million people worldwide was affected.

Edwards said: “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

The fine came as a $305m bid to buy the company led by its former chief executive, Anne Wojcicki, looked poised to retake control of the company in a bankruptcy auction.

A spokesperson said 23andMe had since implemented multiple steps to increase security to protect individual accounts and information.

As part of the deal to rescue 23andMe, Wojcicki’s non-profit organisation the TTAM Research Institute has made “binding commitments to enhance protections for customer data and privacy, including allowing individuals to delete their account and opt out of research at any time” and “agreeing not to sell or transfer genetic data under a subsequent bankruptcy or change of control”, and offering customers two years of free identity theft monitoring.

The fine represents a significant reduction compared to the sum the ICO was previously considering when it issued its Notice of Intent in March. At the time, the proposed fine was £4.59m. Even so, given the company’s financial state, there are concerns over whether it will ever have to cough up.

The ICO is in close contact with 23andMe’s lawyers and the US trustee, and maintains that 23andMe is still obligated to comply with the UK GDPR and the regulator’s enforcement actions.

It deems its fine-collection policy to be robust but fair, offering payment plans for organisations that are suffering genuine financial hardship, a criterion that 23andMe may meet, although the regulator has not commented on this.

The ICO has the powers to pursue formal recovery actions that could lead to insolvency, but whether it be able to go after a US organisation is a moot point.

One industry source said: “Of course, the ICO had to do something, but fining a company that has already gone bust is tricky at best, pointless at worst.

“Obviously the regulator wanted to send out a strong message, but it is very unlikely it will ever get the money. Let’s face it, the ICO has enough trouble recouping fines from UK firms that are still trading, let alone one based in the States that has gone under.”

Mishcon de Reya senior data protection specialist Jon Baines appears to agree: “The 2023 hack was poorly handled, and exposed a number of underlying failings, which led to the compromise of the sensitive information of over 150,000 UK residents.

“But this may not be as straightforward to enforce as the ICO would want. 23andMe is established in California, and regulatory enforcement across borders can be difficult.

“And there is another angle: 23andMe filed for bankruptcy in March, and since then there have been complicated manoeuvres and negotiations for its sale. These have in themselves raised concerns about what will happen with users’ sensitive genetic data, but they also create a difficult dynamic, because a buyer of the company may not want to acquire at the same time the liabilities that accompany a regulatory fine, which might include the increased threat of legal claims from overseas users.

“The fine is not large when compared to the valuations of the company (which are in the hundreds of millions of dollars) but it is still not insignificant. When the ICO tried to fine the US facial recognition company Clearview AI, it led to appeals which are still making their way through the UK courts, and which will be costing the ICO a large amount of money in legal fees. The last thing the ICO will want is for something similar to happen here. But it may well be difficult to avoid.”