News & Insights

Quick Guide: CT AG Reacts to Genetic Data Breach

When 23andMe suffered a data breach that potentially exposed sensitive data collected in genetic testing, Connecticut AG William Tong took action. Chris Allen and Hannah Cornett discuss the implications of the breach and identify best practices for anticipating and responding to data security incidents.

(00:23): Chris introduces himself and Hannah Cornett, an associate in Cozen O’Connor’s State AG Group. He explains that this week’s episode of State AG Pulse, like last week’s, features an action by Connecticut AG William Tong; a letter to the genetic testing company 23andMe.

(01:24): Per Hannah, AG Tong sent an inquiry letter to 23andMe about a data breach that the company reported in a press release on October 6th outlining his concerns that 1) 23andMe had not yet submitted a notification to his office, and 2) there were some reports that consumers of Ashkenazi Jewish descent or Chinese ancestry were targeted. He requested that the company respond with more info about its data security practices in general, as well as about the breach in particular.

(02:20): Chris asks what the significance of Connecticut sending this letter is and what makes this especially sensitive, noting that Connecticut is well recognized as a leader in enforcing against data security breaches, amongst other areas. He goes on to talk about AGs’ particular interest in protecting vulnerable groups like the elderly, minors, seniors, members of the military, ethnic groups, et cetera and speculates whether General Tong being the first statewide elected official of Asian descent in the state of Connecticut played a part in his interest.

(04:37): Hannah ponders how it will play out; whether there will be a more comprehensive CID, and whether other states will jump in.

(04:48): Chris points out that the potential data that was exposed includes name, sex, date of birth, geographic location, and genetic ancestry results. Per Chris, such traditional ID indicators can be used to commit identity fraud as entities try to build databases they can sell on the black market or use for their own national security and intelligence purposes. He points out that whereas previously banks or hospitals were the primary target for such hackers, they have broadened their net to include law firms and other types of businesses that collect personal data like 23andMe, in search of the weakest link in the information chain.

(07:35): Hannah also notes that this could have been a credential stuffing incident where the bad actor took advantage of the fact that users had the same password for 23andMe as for another site that was hacked. She suspects that the AG’s office will want to know whether 23andMe had multi-factor authentication in place. She asks Chris how soon he thinks a company should notify an AG’s office about a breach.

(08:43): Chris’ opinion is that it depends on a variety of factors and detailed forensic analysis is needed for a full and accurate answer but the bottom line is that you’re not going to hide from a state AG and it’s better to be proactive in communicating early and often with the AGs’ offices as the stakes are very high, potentially in the billions of dollars.

(10:37): Hannah adds that businesses should think about coordinating AG notifications with consumer notifications.

(10:55): Per Chris, the best answer is to invest in a data incident playbook setting out all the states’ current data breach notification laws.

To listen to the full podcast, click here. To listen to a particular section, open the recording and use the time stamps provided above to navigate to the desired part.

To read more about the news story on which this podcast is based, click here.