In November 2023, a class action lawsuit was filed against the genetic testing company, 23andMe. The plaintiffs alleged that a data breach resulted in the unauthorized disclosure of 6.9 million users’ personal and genetic information, including their names, contact information, ancestry reports, and DNA matches. Despite the fact that the breach began in April 2023 and lasted several months, the plaintiffs alleged that 23andMe failed to warn its users of the breach until October 2023 thereby causing further harm.
Although the parties began the arbitration process, the parties asked the US District Court for the Northern District of California to approve a proposed class action settlement in the amount of $30 million.
Under Federal Rules of Civil Procedure 23(e)(2), for a class action settlement to be certified, the proposed settlement must be “fair, reasonable, and adequate.” To determine whether the settlement is fair, reasonable, and adequate, the judge is to consider if: (1) the class representatives and attorneys adequately represented the class; (2) the proposed settlement was negotiated fairly; (3) the relief provided for class members is adequate; and (4) the proposed settlement treats all class members equally relative to their own individual capacities. Undoubtedly, the District Court will be reviewing these factors to determine the fairness of the proposed settlement. If certified, the settlement would provide effected users with monetary payment and offer the option for those same users to enroll in a free three-year Privacy & Medical Shield + Genetic Monitoring Program.
This proposed settlement is significant because it demonstrates the significant exposure that businesses face from data breaches. It also serves as a reminder for businesses to institute strong security policies and measures to protect customer information. We will continue to monitor the settlement proceedings for any further developments.