The personal genomics and biotech firm 23andMe has been grappling with a cybersecurity dilemma that initially came to light on October 6th. And not only has security been revealed as a major issue but the company’s response to the breaches has also been alarming.
Notably, by October 19th, it had been revealed that there was a second breach conducted by the same culprit who took responsibility for the initial one. Astonishingly, they stated that they now had access to over 4 million genetic profile records. In a startling disclosure on December 4th, the overall fallout from this intrusion affected 6.9 million users.
As first discovered on Hacker News, in the midst of this crisis, 23andMe has decided to revise its Terms of Service (TOS), thus requiring users to agree to binding arbitration, a process in which disputes are settled beyond conventional court settings. An arbitrator, a neutral party, oversees the process and issues the final, unappealable settlement. This adjustment to the TOS aims to hasten dispute resolution, a tactic widely employed in situations like consumer contracts, labor disputes, as well as business conflicts.
As per the updated TOS, clients who have grievances will need to liaise with the company’s customer service team as the first point of contact to resolve the issue without legal proceedings. Arbitration takes precedence over lawsuits if this initial negotiation period, which lasts 60 days, fails to resolve the problem. The regulations surrounding arbitration are dictated by JAMS, a company specializing in these services. But when there are multiple similar disagreements pertaining to 23andMe, the alternate method of Mass Arbitration through another company, NAM, is utilized.
The arbitration decision is binding; yet, a few instances allow issues to be taken to court rather than arbitration, such as intellectual property conflicts and minor issues. Restrictions also prevent individuals from joining a class action or group arbitration against 23andMe. If elements of this dispute resolution segment are deemed unenforceable by law, the remaining parts still hold.
In light of their recent security breach, 23andMe users are advised to familiarize themselves with the methods of resolving potential disputes, which may now involve arbitration rather than lawsuits. Clients also cannot partake in class action lawsuits pertaining to these issues. 23andMe has begun updating users of these TOS changes and offers them a 30-day window to refuse these terms.
23andMe’s decision to resort to binding arbitration in the wake of its significant security breaches raises several concerns. Firstly, the move to amend the Terms of Service to mandate arbitration can be viewed as a strategy to limit legal exposure and control the narrative around the breach. This approach might be seen as prioritizing the company’s interests over the rights of the affected users, who may prefer the transparency and public accountability of court proceedings. The binding arbitration process, often conducted in private, lacks the same level of scrutiny and public record as court cases, potentially obscuring the full extent and implications of the breaches.
The introduction of arbitration, particularly with the exclusion of class action lawsuits, can be perceived as a means to dilute the power of the consumer. Class action lawsuits are a critical tool for individuals, especially when dealing with large corporations. They allow for the consolidation of similar claims, making it feasible for individuals to seek justice against a well-resourced entity like 23andMe. By removing this option, 23andMe effectively isolates each claim, potentially overwhelming individuals with the financial and emotional burden of solo legal action. This tactic could deter many from pursuing their claims, thereby reducing the likelihood of 23andMe facing substantial repercussions for the breach.
The imposition of a 60-day negotiation period before arbitration can commence might be construed as a delaying tactic. While ostensibly a period for resolving disputes amicably, it could also be used by the company to manage and potentially minimize claims before they reach arbitration.
