Data Rights, Oversight & Founder Control in 23andMe

Dezenhall Resources / October 1, 2025
Read full Substack

What starts as a breach becomes a full-company stress test when the data is genetic, the brand is consumer-facing, and the stakes are personal. In this Reputation Nation conversation, Anne Marie Malecha and Stacy Bratcher unpack 23andMe’s legal exposure vs. reputational debt; the rare en masse board resignation and its liability implications; and the optics of a founder seeking to repurchase the company during bankruptcy. They break down why blaming users for password reuse invited backlash and risk, how to communicate progress when rolling out MFA post-incident, and the playbook for the first 24 hours: verified facts, timed updates, and audience-by-audience messaging that doesn’t overpromise or accuse. The result is a practical, plain-language guide for CEOs, GCs, and comms leaders navigating crises where governance, product, and public trust collide.

[THIS IS A PLACEHOLDER FOR THE EMBEDDED PODCAST VIDEO]

Data Rights, Oversight & Founder Control in 23andMe Episode Transcript

AMM (00:00)

In this episode, Stacy will be leading the legal deep dive of the chaos surrounding 23andMe. We’ll look at how the breach of personal genetic data led to a $30 million lawsuit, how boardroom dysfunction played into legal exposure, and what happens when a company that holds your DNA files for bankruptcy. From governance failures to data ownership debates, this story is a legal case study in how biotech risks get personal.

Let’s get into it.

A lot of companies get hit with cyber-attacks these days. We’ve seen all kinds of them probably over the last 10 years. They’ve only increased and many in healthcare and other spaces that we all spend a lot of time and have a lot of data in. But 23andMe’s legal exposure seems different. What made this case stand out from a liability perspective?

Stacy (00:45)

Well, Anne Marie I think there’s a lot that just the foundation of the business where you have people giving their most private personal data to a company and what they do with that data, how they protect that data and the fact that they didn’t do a great job of that undermines the trust in the company. I think also, you know, just the, founder being, you know, such a public person. A lot of the people involved, the Google layer. There were a lot of celebrities. Richard Branson financed the company. You and I have this shared experience when you are a company that is so public and so broadly out there. I think that just ups the stakes. I’ll have to say that, you know, for class action purposes, a $30 million class action is really not that big. But what it did was undermine trust in the company. And I think we’re still seeing even today, you know Congress is involved. You know, there’s concerns about what’s going to happen in the bankruptcy with the data, etc. And so really, it’s the size, scale, and public nature of the company and then the sensitive information that they have that I think is really setting the pace in this case.

AMM (01:58)

I want to talk a little bit more about the public nature of how they operated in the world and the celebrities that they used and that additional layer that that has brought to them now when they’re in this sort of phase of the company’s existence. 23andMe relied really heavily on PR and marketing for their commercials and financial success. I remember there were a number of holidays where they were the primary ad that I would see anywhere of, you know, get your family DNA testing.

They also had a model that was sort of one and done, which from a financial perspective, you buy a kit once, you don’t really need to do it again. That obviously creates some challenges in and of itself as you’re looking to bring in new customers. But do you think that both the business model and the way they relied on marketing and their image of being the sort of innovator hurt them in a different way than we’ve seen other companies that have had to deal with bankruptcies?

Stacy (02:54)

Well, I think, you when you talk about, you know, the holiday marketing part of it, making medical testing into sort of a consumer good, think is, you know, not risky is a way to describe it, but it’s, you know, people have certain expectations around their healthcare and around medical testing. And when you package that as something that you can get at Target, or buy online and you have, ‘spit parties’, you know, you’re making light of something that people have expectations around that’s taken very seriously and, protected, you know, there’s been a lot written about HIPAA, the health insurance portability and accountability act, those privacy rules don’t apply to 23andMe. And I think people are surprised about that.

Just because the product is healthcare adjacent. And again, that just sort of undermines the trust of the company that they are taking a more consumer retail approach to private information.

AMM (03:56)

In some ways, there some similarities with Theranos which I don’t want to us off track here but I think most people know about that case and the idea that your health care is anything but sensitive information it’s a different way of operating and I think it causes a different sort of set of circumstances and how these have to be addressed from a crisis management and legal perspective.

Stacy (04:17)

Yeah, no question. I think, you know, with 23andMe, you talked about their one and done sort of model really not being a sustainable business. They were getting into drug discovery. They want to get into medical testing. They bought Lemonade, which was a telehealth provider. So while they’re, you know, seemingly had one sort of product, they were really, you know, getting more, wading more into health care, which again carries with it higher expectations for conscientiousness and protection of data.

AMM (04:48)

Yeah, health information is a very different game than just an app on your phone. And I think we still don’t fully understand all of the privacy implications of the things that we like to use in our daily life. And this was a big reminder for people. And I think a really interesting story for journalists in particular, because there just wasn’t anything like it. 23andMe was sort of the first of their kind. And yes, they have competitors now, but we haven’t seen this anywhere else. And I think that as a consumer facing brand, you have a different standard that you have to adhere to than when you’re B2B or you’re not holding onto people’s personal information, particularly their most sensitive data.

23andMe initially pointed the finger at their users for reusing passwords as one of the primary causes of this breach. From a legal standpoint, do you think that deflection will help or hurt them in terms of the lawsuit?

Stacy (05:40)

Well, when there’s a breach, the established playbook is that you don’t say anything about how or why it happened. It can compromise your insurance coverage. It can create a roadmap for plaintiffs’ lawyers. So just as sort of general table stakes, the prevailing advice is don’t say. And by the way, it takes a long time and expensive forensic analysis to actually know. It can be years before you actually know how a breach occurred. So I think it’s incredibly risky to go out with any sort of statement. And from a business perspective, I don’t know that it’s ever a good idea to blame the victim. You know, I don’t really see that.

I mean, certainly they could have phrased it as, let’s give you some advice. Please, folks,

don’t reuse your passwords. They could’ve framed it in that way. But using it as a deflection tool, I don’t think was a good move. And I think that it will come back to bite them both in litigation and possibly with other investigations and with their insurance coverage, to the extent they have any.

AMM (06:52)

You know, I think you’re absolutely right. The victim-blaming is a huge issue. And even if they were correct that reusing passwords is the reason, you almost never know the entirety of that in short order, much less weeks, months, years afterwards. Over promising and under delivering is the easiest way to do yourself more harm. And the first rule of crisis management is do no harm. And I can’t imagine the conversation that was happening in the room when they were thinking about, well let’s just put it back on the people that use the same passwords over and over again. Somebody had to be saying that was a bad idea. I have to imagine if not, that goes to show you really need to know who’s on your crisis team before a crisis strikes. There’s no winning in that. also, you know, to your point, you are going to have to communicate progress throughout these challenges.

You don’t have to have all the answers in the immediate term. And in fact, you can buy yourself some time by saying, you know, we’ve closed the breach, or our forensic investigators are working to close the breach. Like, that’s what you want to start with as opposed to, you guys did it wrong.

Stacy (08:01)

Right totally totally

AMM (08:04)

You know, one of the important aspects to me in this case is just the willingness that we have as individuals to give a company that we don’t really know a whole lot about our DNA. Do users actually have any control or legal recourse over how their DNA data is used once they hand it over?

Stacy (08:23)

Well, certainly, I mean, with any sort of data sharing, there are terms of use, know, you don’t any kind of company, especially in California. Many states have consumer privacy laws. There are specific and there’s also the GDPR ⁓ regulations in the EU. There are many, many rules around what consumers rights are with regard to their data.

So I don’t know what extent 23andMe was adhering to those. DNA is a little different in that it’s not defined, at least in California, as one of the protected consumer pieces of data. But there are states that are trying to have a more specific regulation on that. There’s a federal law called Gina that is really about protecting genetic information from misuse by insurance companies or employers. I think that the 23andMe, I think we can predict that that will give rise to more regulation. But yes, generally your private information, your social security number, your birthday, your address, those things that you give over to companies, you have rights to tell companies not to use that anymore. And actually, we’ve seen in the case of 23andMe, many, many states, attorneys general have issued directions to consumers on how to get their data back from 23andMe, which I don’t know that the company predicted that that would occur.

AMM (09:51)

I don’t think I’ve ever seen that either. It was really fascinating to me when that first came out and you had states advising and it was sort of all over the media and social channels for a handful of weeks of go get your data before you can’t and it’s held up in the bankruptcy proceedings. I certainly think there’s some precedent setting that’s gonna happen in this case in more ways than one and that will be interesting for us to see as we go along here.

Speaking of interesting as we go along here, I want to talk about the founder of 23andMe, Anne Wojcicki. She still holds almost half of the company’s voting power and is now trying to buy it back during bankruptcy. There have been plenty of stories about her leadership and her tenure at the company and I don’t necessarily want to get into that yet, though I think we may unpack that in future episodes. But do you think from a corporate governance perspective that laws are keeping pace, especially in high sensitivity sectors like biotech to keep things like this from happening?

Stacy (10:52)

I would say through the courts. So you’re not seeing a lot of legislation directed at boards. The boards typically have the standard fiduciary duties of the duty of care, the duty of loyalty, duty of inquiry, and exercise sound business judgment. What you’re seeing, ⁓ especially out of the Delaware courts, you know, the Boeing case, it’s a meaty one, but encourage folks to look at that. The courts are setting standards around expectations of boards with regard to monitoring risks. So in the case of 23andMe, I think you know, courts would be questioning how much the board was overseeing the cybersecurity.

That’s a standard sort of again, table stakes report that most boards should be getting if they are, if the business relies on any sort of technology or data. So I think we’ll see more and more of that Anne-Marie, but it’s going to be through the courts.

AMM (11:46)

The board’s role is one of those pieces that every board operates a little bit differently, in the companies that we’ve helped over the years that have had both board governance issues and issues where the board have stepped in to sort of oversee when management’s been a problem. There’s so many layers to that. And in this case, we saw an entire board resign after clashing with the CEO over the company’s direction. And…

What happens when a board does that? I mean, are they allowed to just walk away as part of their fiduciary duty and duty of care and all of those pieces that you mentioned? And then what responsibilities do they still have if they step down in the middle of a situation like this in particular?

Stacy (12:28)

I’ll say it’s very uncommon that an entire board resigns. That has not happened very frequently. With regard to the boards on the board members, ongoing liability, they will be held to account for anything that happened during their tenure on the board. I mean, once they resign, you know, anything going forward, they’re not connected with, but,you know, certainly the data breach, the failure to have adequate safety and precautions, security measures over the data will be things that they could be held to account for. Now, I’d assume that 23andMe had a DNO policy so these board members might not have personal liability, but you never know startups are, you know, founders are fast moving quickly and maybe they don’t have everything completely buttoned up.

Maybe they didn’t have a robust cyber policy. I mean, there’s a lot that, you know, kind of the boring infrastructure that board members should really make sure they investigate before they join a company’s board. So yeah, I think we can expect, you know, that there could be some lagging liability. You know, there, as I mentioned, Congress, three different committees announced an investigation into 23andMe.

So maybe those board members could be called to testify, know, just the gift that keeps on giving.

AMM (13:43)

We always love regulatory follow-on. Can you define what a DNO is for our listeners? Because I think some folks might not be familiar with that.

Stacy (13:50)

Sure. Directors and officers’ policy. It’s a type of insurance that protects key individuals in the company, including the board directors. For any person, a lot of people aspire to be on corporate boards and it’s great. It’s a nice way to make connections and have an impact and make some money. But making sure that your company has an adequate director and officers’ insurance policy and that the bylaws of the company provide that the board directors will be indemnified by the company are two practical takeaways I would give to folks that are interested in serving on corporate boards.

AMM (14:27)

I think that the board in this case had a strategic reason for filing there, or for all leaving en masse at the same time when they did, because to your point, they wanted to have a line in the sand of where their liability stopped. And whether you know it’s going to get worse, or you just suspect it’s going to get worse, I assume they all wanted to be as free and clear of it as possible. And they’re still going to be stuck with some of these challenges as we go forward. But that is also something to think about both from a business and a communications strategy perspective. It sends a message and it does have an impact.

Stacy (15:03)

No question.

AMM (15:03)

When a company is in crisis, financial, legal, reputational, how does the board’s fiduciary duty shift? Are they expected to protect the company, the shareholders, the customers, or all three at once? And let’s in this case, for the sake of argument, assume the board didn’t resign. But as they were still in their capacity of board members, what role did they have in that?

Stacy (15:25)

Well, ultimately the board’s fiduciary duty is to the company, and they’re supposed to, as I said, be executing those fiduciary duties of loyalty, of care, inquiry and business judgment. you know, crisis can be very unsteadying, as you know, you know, that a lot of times I think people look into like what’s in it for me, you know, how am I exposed? You can have situations where folks want to distance themselves from the company or, I’ve certainly been in a situation where board members were resigning during a crisis or tried to resign. You know, that’s because there is a friction point with those fiduciary duties. You are supposed to put the company above all else. And ultimately, you know, the shareholders and the customers are still part of that.

You know, your customer, is the business. Without the customers, there is no business. So, you would hope and predict that what’s good for the company is also good for the customers. Shareholders don’t always agree. And, you know, there’s, I feel like these days, even more so, you see a lot more shareholder derivative lawsuits that are challenging company directions and board members specifically. So, you know, again, It’s tough, especially where the shareholders don’t agree with the leadership, puts the board in a tough spot.

AMM (16:45)

Shareholder activism is a huge part of our business and has been growing over the last handful of years as shareholders have exerted their power or disdain about control and how management decisions are made. But I think it’s interesting to think about the fact that you’ve got a board with a responsibility to do what’s in the best interest of the company. And unfortunately, in crisis in particular, there’s always competing objectives.

You’ve got a management team that often wants to save their jobs or protect pieces of their control, their power, their fiefdom. And then you’ve got the bottom line to protect. And one of the things we encourage all of our clients to do and really sort of force their hand at doing early in an engagement is what does a win look like for you? Because it’s not going to be that you’re going to make everybody happy. There’s no way. And if you can’t coalesce around doing what’s best for the organization as a whole, you’ll never get out of it in any sort of fashion where you can get back to business quickly. It’s going to just be another mess.

Links to Popular Podcast Platforms

  • Link to Apple Podcast: {AppleLink}

  • Link to Google Podcast: {GoogleLink}

  • Link to Spotify Podcast: {Spotify Link}

A logo features a hexagon divided into six triangular sections, each in varying shades of gray. The word "dez" is centered within the hexagon and written in lowercase letters.
AUTHOR: Dezenhall Resources
7. Lively v. Baldoni: Subpoenas, Stakeholders, & Legal Strategy

On this episode of Reputation Nation, Anne Marie Malecha and Stacy Bratcher take you straight into the heart of the Lively v. Baldoni showdown, focusing on the role of subpoenas,…
6. Lively v. Baldoni: Lawsuits, Leaks, and Receipts with Defamation Expert Joe Meadows

Reputation Nation hosts Anne Marie Malecha and Stacy Bratcher return for part 2 of the Blake Lively vs. Justin Baldoni series with defamation expert Joe Meadows to explore how lawsuits,…
5. Lively v. Baldoni: Media Strategy, Missteps, & Reputational Fallout

Reputation Nation hosts Anne Marie Malecha and Stacy Bratcher examine high stakes litigation through the Blake Lively v. Justin Baldoni case, exploring the critical relationship between legal strategy and crisis…