DNA companies should receive severe penalties for losing our data

Personal data is the new gold. The recent 23andMe data breach is a stark reminder of a chilling reality -- our most intimate, personal information might not be as secure as we think. It's a damning indictment of the sheer negligence of companies that, while profiting from our DNA, are failing to protect it.

The 23andMe breach saw hackers gaining access to a whopping 6.9 million users’ personal information, including family trees, birth years and geographic locations. It brings to the fore a few significant questions: Are companies really doing enough to protect our data? Should we trust them with our most intimate information?

Companies are promising to keep our data safe, but there are a couple of quirks here. Government overreach is certainly a possibility, as the FBI and every policing agency in the world is probably salivating at the thought of getting access to such a huge dataset of DNA sequences. It could be a gold mine for every cold case from here to the South Pole.

The argument, “But if you haven’t done something wrong, you have nothing to worry about!” is only partially applicable, here: The problem is one of consent. My father at one point did a DNA test, and discovered he had a half-brother who is about to turn 80. Cue an incredible amount of family drama when they started digging into the history and unearthed a whole bunch of potentially problematic family history.

The problem isn’t so much that my dad chose to do that, it is that I didn’t consent to being in a database, and that’s where things get sticky. I can envision a definite Black Mirror-esque future, where one family member is curious about their ancestry, gets tested, and two weeks later, the FBI comes knocking on every person’s door who shares 50% DNA with that person because they are wanted for some sort of crime.

The audacity of 23andMe, and companies like it, is astounding. They pitch themselves as guardians of our genetic history, as the gatekeepers of our ancestral pasts and potential medical futures. But when the chips are down and our data is leaked, they hide behind the old "we were not hacked; it was the users' old passwords" excuse.

This logic is equivalent to a bank saying, “It’s not our fault your money got stolen; you should have had a better lock on your front door.” It’s unacceptable and a gross abdication of responsibility.

Companies that deal with such sensitive data should be held to the highest possible standard. We're not just talking about credit card numbers or email addresses here. This is our DNA, the very blueprint of our existence. If anything should be considered “sacred” in the digital realm, surely it should be this?

The fact that the stolen data was advertised as a list of people with ancestries that have, in the past, been victims of systemic discrimination, adds another disturbing layer to this debacle. It highlights the potential for such data to be misused in the most nefarious ways, including targeted attacks and discrimination.

The DNA testing industry needs to step up. It must ensure that the security measures in place are not just adequate, but exceptional. They should be leading the charge in cybersecurity, setting an example for all other industries to follow.

This is not just about better passwords or two-factor authentication. This is about a fundamental shift in how these companies view the data they are entrusted with. It's about recognizing the profound responsibility they have, not just to their customers, but to society at large.

Am I hopeful? Not even a little. I’ve long argued that after the Equifax breach, the company should have received the corporate equivalent of the death penalty. Instead, it was given a $700 million fine. I think that’s laughable. Allowing a breach of such a magnitude to even be possible, never mind actually come to pass? You don’t deserve to continue to be a company. I think that is even truer for companies dealing with our DNA.

It's time for 23andMe and the DNA testing industry as a whole to realize that they are not just dealing with data. They are dealing with people's lives, their histories and their futures. It's time they started treating our data with the respect and care it deserves.