United States of America: Approved settlement agreement in lawsuit against 23andMe over non-compliance with cybersecurity regulations

On 5 September 2024, the San Francico Federal Court approved the settlement in the lawsuit against 23andMe over non-compliance with cybersecurity regulations. The lawsuit was initiated due to a security incident announced by 23andMe in October 2023, in which the company discovered that the personal data of approximately 6.4 million US customers had been accessed without authorisation. Multiple class action lawsuits were filed, accusing 23andMe of failing to protect personal information adequately. On 5 June 2024, the court consolidated these lawsuits. After a series of mediations, a settlement was reached on 12 July 2024, where 23andMe agreed to establish a USD 30 million settlement fund for affected individuals. The settlement includes business practice commitments to enhance data security, including password protection, multi-factor authentication, annual cybersecurity audits, and retention policies for personal information.