Trust on Trial: Governance, Board Resignations, and Crisis Comms Lessons from 23andMe

In this Reputation Nation case study, Anne Marie Malecha and Stacy Bratcher examine the fallout from 23andMe’s data breach beyond the technical incident—focusing on board oversight, founder optics, and crisis communications that shaped public perception and legal exposure.

They discuss how a $30M class action paled in comparison to the erosion of trust, why blaming customers for password reuse backfired, and how rolling out MFA post-incident didn’t meaningfully restore credibility without transparent progress updates. The episode also explores directors’ fiduciary duties during a crisis, the implications of an entire board resigning, and the reputational and operational stakes when a founder seeks to buy back a company during bankruptcy.

Trust on Trial: Governance, Board Resignations, and Crisis Comms Lessons from 23andMe Episode Transcript

Stacy (00:00)

In this episode, we’re tapping into Anne Marie’s crisis expertise to break down how 23andMe’s response to a deeply personal data breach and the company’s overall downfall. We’ll explore how their actions in messaging, or lack thereof, worsen the damage, what lessons this holds for companies in high trust sectors, and why getting comms right is just as critical as getting the legal strategy right. Hey, Anne Marie, how are you?

AMM (00:23)

Good to be here today.

Stacy (00:25)

It’s super fun and 23andMe is sort of a use case in what not to do, think, from a comms and a legal standpoint. I want to just dig in a little bit about if you’re thinking about the whole issue, what was the first communications mistake that 23andMe made once the breach became public?

AMM (00:44)

I’d say the first mistake they made is not protecting their data, but the first mistake they made once the breach became public is blaming their consumers for poor data security and saying that the repeat use of passwords was the problem that created the data breach. One, that’s probably not true. Two, it’s almost impossible to know what is the cause of a data breach in such short order. And three,

In the villain-victim-vindicator construct that we see all of these crises play out, the last thing you want is who is going to inevitably be the villain to be blaming the victim for the issue and the kickoff of the crisis.

Stacy (01:25)

Yeah, I’m going to take a note here. No victim-blaming.

AMM (01:27)

No, no victim blaming. It doesn’t really matter what the type of crisis is. I think we talked a lot about no victim blaming in the cases of individuals versus institutions. And we saw a lot of that in the Me Too movement, but it still stands. Even if it is their fault, it doesn’t generally benefit you from a communications perspective or a legal one.

Stacy (01:50)

Yeah, absolutely. Well, a related question. You know, what is the right tone to take in the case of especially where there’s a breach involving something as sensitive as a breach of DNA data? How should a company show empathy and restore credibility?

AMM (02:06)

it’s really important that you don’t dig yourself in a deeper hole. So having some acknowledgement of the fact that that data that folks find to be very personal to them is out in the world requires an element of empathy. You’re not going to be able to come in and say, we’re so sorry, we did all the wrong things here. That’s going to negate your insurance coverage and cause other legal liability as you go along. But to have a little bit of a human touch and say something to the effect of you know, this is an unfortunate situation. We’re doing everything we possibly can to close off the breach and determine what the cause is. Just to have some element of we’re human, we made a mistake, we’re working on it, it’s going to help. You’re never going to please everyone. So, you know, it’s really easy for people to be the armchair quarterbacks and say, well, they got it totally wrong. I don’t generally like to do that. But the 23andMe initial communication was not great. They would have been better, honestly, not saying anything and waiting a few more hours or even days to get language in place that sounded like they gave any sort of modicum of a care.

Stacy (03:13)

Well, in my experience, we focused on some of the go forward like, yeah, this thing happened, but let’s turn the page. Let’s talk about how things are going to be better. Two factor authentication was rolled out after the breach, but not before. When you’re advising a company post incident, how do you turn late action into a moment of regained trust?

AMM (03:33)

You have to communicate progress. That’s one of the most important things in a crisis and one of those things that some companies struggle with in the sense of, if we say we’re doing something more, we’re bringing attention back to the problem we had at the outset. But if you’re not doing that, then the belief is you’re not doing anything at all. And unfortunately, people really like being told what’s going on in addition to being shown what’s going on. You have to do both today. You know, two factor authentication is great.

And the technology has evolved across the board since 23andMe started. And forgive me, I’m not a two-factor authentication expert, but my guess is that that wasn’t really commonplace when 23andMe started and then it became something that was. And if you’re protecting other people’s information in whatever form or fashion it is, you have a duty to do that. And if two-factor authentication was a technology that was being used in other places, then that’s part of 23andMe’s business model of continuing to improve their standards and systems. I don’t think it wins you a ton of favors to come out and say, okay, hey, we had this breach, look at what we’re doing now, but it is a baseline of which you need to do that and you need to communicate it. And you probably in the communication of that should have acknowledged to an extent that, you know, we’re glad we’re rolling this out now. This will help us avoid the problem we had in the past. You can’t say we should have done it sooner, but you know, to the extent you can have a tone attached to it of, know, we wish we would have been able to do this sooner, but these, you know, these technology onboardings are not a flip of a switch. These take months to plan in many cases. So they, they’re not going to gain back credibility overnight for doing any action of any kind because trust is earned.

Stacy (05:17)

Yeah, no, totally. And I want to go back to, you know, the first 24 hours you were talking earlier about how that’s kind of the pressure cooker. And, you know, I know from my own experience, you know, somebody is something’s happened or there’s a news article, somebody saying something about your company and, there’s a lot of pressure. We’ve got to get our story out. And, you know, that that isn’t always the best thing to shoot first or shoot back right away.

How do you advise leaders to strike that balance in the first 24 hours?

AMM (05:47)

You need to gather as much information as you can in the time that you have before you make a decision. Now that’s hours or minutes, not usually days anymore. And in the culture we live in where everybody’s on their phones, news is breaking faster than anyone knows what to do with. The breaking news moniker doesn’t really mean anything anymore. Everything is breaking news, but this is where strong leadership really comes to bear. And whether you have a dedicated crisis team in place or not, you do generally in an organization of any size have a leadership team of some sort and having the ability for that team to very quickly say, all right, this is what we know, how far can we go with what we can say and what are we able to do from an action perspective are kind of the recipe of the three things you want to have in hand as you go out with a statement.

You don’t want to be accused by the media of saying no comment. That does not help you. So being able to say something of we’re assessing this situation, we plan to come back and update you at X time is much better than saying nothing at all. If you can come out with a little bit more detailed information of we understand this is what the problem is, we’re working to address it as quickly as possible. Our focus is there instead of speaking with the media right now, we will come back and address our staff, colleagues, customers, other stakeholders, including the media in time. You used to be able to buy yourself a little bit more time before I think you had to put a statement out right away and that time window is shifting. However, there are times where it is worth waiting an extra hour because you know you’re going to get an additional piece of information rather than going out ahead of that and then having to correct or retract or shift.

And it’s a delicate balance. There is no perfect, if you do A, then B will happen, and C will happen. Or if these three things are the case, then here’s your formula. It is really situation dependent. And that’s where being able to make decisions quickly with limited information and understanding that you might have to deal with some additional fallout for whatever you put out in the first 24 hours is a part of crisis management.

Stacy (07:54)

Like in today’s day and age of like we are deluged with news you know how much attention like once that initial story breaks and you get out your we’re assessing it whatever I mean don’t people move on? it feels like sometimes the company gets like not everybody is paying that close attention you’re not that important like once the once the initial splash has happened.

What are the scenarios where those stories keep percolating?

AMM (08:24)

In most cases, the crises clients are facing, they’re paying the most attention to. That’s human nature, it’s happening to you. One of the things we do with our clients immediately is to start monitoring for what’s happening around us in these situations. If we’re engaged long before, we generally have that sort of monitoring happen, so you’ve got a real-time risk assessment as you’re going. If we’re engaged on the back end, that’s one of the first things we want to do because proportional response is everything you do not want to make your crisis front page news when it is, you know, page 10 of the city section. That’s an old reference for people that know what a physical paper looks like. But people aren’t paying attention to it in the same way you are, which is why often you really have to think about your audience and who matters most in a crisis. It’s going to be your employees. It’s going to be the people that have a direct touch to what your business is. So is that customers, clients, your supply chain, the neighbors around your building, if it’s a physical issue, those are the things that you want to take into account first and foremost, probably more so than the media. You may have to address them publicly. And sometimes the media is a useful tool to be able to say, hey, stay away from this area, it’s unsafe. Or we will have more information on where people can turn back in their food that’s been recalled or here’s the website to go to, etc.

So that’s something to think about but monitoring really matters. And I often have to be the one that says, all right, I’m looking at the chatter and you’re registering as like a 0.5 on a Richter scale, if you will. Let’s not make it bigger than it is. We talk about needing to communicate progress with crisis management as you go along. To that end, you also don’t want to tell

you know, all of the however, eight billion users on Twitter that exists now or X, some information when you could have sent an email to your 15,000-customer newsletter list. So segmenting audiences is really critical in a crisis too and understanding who’s in your universe and who really matters.

Stacy (10:30)

Yeah, let’s talk just a little more granularly about, you know, an internal audience is an audience that I think sometimes people forget. You get so focused on the story and the external, but you know, in my experience, employees can make up if there’s a void, they’ll fill it with whatever information or gossip or rumors they think they know. So, let’s talk about internal communications and how you approach that.

AMM (10:56)

There’s a phrase that all politics is local. And I think that’s something that applies in a crisis, particularly to employees, maybe vendors, sort of your inner ring of constituents of an organization. Your internal audience is probably the most important audience you have. Now, if you’re a publicly traded company and you have shareholders and you’re going to see an immediate drop in your stock price in a crisis, yes, that’s important too. And you need to address that. There’s regulatory bodies that might be important, but your internal audience

They can be for you, with you, and help you through, or they could be your, one of your motivated adversaries that you have to handle and address at every step along the way. It’s not always an either or. You probably have some sets of people that are really with you and some that are not, and so you have to manage that accordingly. But speaking to your audience that is the closest to the organization, I think is really important. To the end, that I think a lot of firms like ours are focused on having internal specific teams that can quickly get up to speed of how does a company generally talk to itself. You might have a crisis warning system where there’s a text message that goes out to everyone, or you may only communicate via an email once a week. Understanding how a team wants to hear from its company is critical and we really try and work to have our clients focus on their internal audiences so that there isn’t a vacuum created because there’s nothing anyone loves more than water cooler gossip. And if you don’t have something to say, someone will create a narrative for you.

Stacy (12:30)

No question. One of the things I wanted to ask you about is, know, there’s 23andMe in particular, you know you had the board resign en masse and the founder kind of rebuying, trying to take the company over herself. To what extent do you wish that boards and leadership, what would you like boards and leadership to understand before their next breach?

AMM (12:55)

You’re always picking between the best of bad options and the belief that there’s going to be some easy one and done solution that’s going to get everybody out of this quickly doesn’t exist. I have yet to see that except for if there becomes a bigger crisis somewhere, somewhere else that everyone else can pay attention to. Which listen, I’d rather be lucky than good. and that’s something to think about, but boards really need to realize that

They have a responsibility to ensure that there’s clear objective and direction in what you want the ultimate outcome of the crisis to be and make sure that everyone working within the team, both day-to-day management, the board itself, special committees that exist within the board, and any external advisors are rowing in the same direction because infighting in a crisis is very common. If you’ve got personalities that existed in times of peace, in a crisis they are times ten and you can’t have that. There just simply isn’t time for ego to be involved in the process and a board is one of the few places that can go to an executive and understand your concerns this is what’s in the best interest of the business and this is the way that we’re moving and boards often do have to exert a level of I’d say day-to-day administration that many of them don’t want to have because I think most folks that sit on corporate boards have done their time in the trenches of active management and prefer to have a more passive role, but in a crisis, the board is really important.

Stacy (14:22)

Can you share some perspective on the optics both publicly and internally when a founder steps down and then turns around and tries to buy the company back?

AMM (14:30)

I wish I knew more of the ins and outs of what was going on at 23andMe because generally if a founder steps down there’s good reason for it. And I would imagine that there was some serious clash among the management with the board, other executives. Founder syndrome is real. Founders have a very different view of what they’ve built and that’s fair. They’ve built something that has taken time, you know been a labor of love for most of them and if they don’t feel that it’s working well that’s a tactic. We’ve seen this happen with other companies some AI companies that are in the news these days. Buying it makes me really believe in it. Now, I’m not a particularly altruistic person being in my line of work, that’s a difficult thing to be.

So I would say the word ego comes to mind. I would imagine that this person doesn’t want to see the thing that they built fail and feels that perhaps they could turn it around. And maybe that’s true. We’ve certainly seen companies emerge from bankruptcy to become better, stronger, different, more agile organizations. And that might be a possibility, but It’s difficult as a founder if you’ve been labeled as part of the problem or part of the downfall to sort of come back from the ashes. You’ve got, you know, this former founder of WeWork who’s now got a venture fund and every story that mentions his new venture fund, you know, former founder of bankrupt WeWork is in each story.

Stacy (15:56)

Can his comms team help with that?

AMM (15:58)

They could but it’s true so you can’t tell a reporter to take it out. I think he’s done a pretty good job of reframing. I think one of the unfortunate challenges here is that you have a female executive and they’re held to a different standard in terms of the media as well. Ouch. Which is an unfortunate reality but one that she’ll have to think about as she tries to regain trust and potentially reshape a new organization if that ever comes to bear.

Stacy (16:23)

Yeah, I want to, want to, me, 23andMe, the crisis is about trust. And, you know, we talked on an earlier episode about, you know, DNA data being so personal and people having a certain expectation about how that’s going to be managed. And, you know, the data breach and the victim blaming all of that, you know, just, I think added fuel to this fire. And I’m wondering, you know, if you have thoughts about when trust is lost at this scale and when that’s such an important, I feel like a core part of a business like this, is recovery possible or does the brand just have to reboot start over?

AMM (17:04)

Recovery probably is possible because people’s memories are short, but what does the new company look like and how are you going to, as an organization, assure people that the same issues that happened in the past will not happen in the future? If you want to recover and you want to keep going, people are willing to often give you a second chance if they feel some of those assurances are there. And the phrase trust is earned is real. You can lose someone’s trust in an instant. Gaining it back takes time, effort, resources, and it’s also not a linear path. So every mistake that could be made in the course of regular business is going to be seen through a heightened lens when you’re in a recovery phase. Which means you’ve got to plan really well, you’ve got to execute really well, and there’s not a lot of room for error. Which leads me back to why would a founder really want to pursue that if they don’t feel something, if there’s an economic opportunity, an opportunity to innovate, change, etc, I wouldn’t take it on. You know, the founder of 23andMe obviously feels differently than I do about this, but…

Stacy (18:10)

She’s got 10 million DNA samples.

AMM (18:14)

and there is a value in having 10 million DNA samples. What exactly that value is unclear and how that value can be monetized. You know the other thing about trust is trust is a value judgment. It’s not what trust means to you and what trust means to me might be slightly different and people know it when it exists and they know it when it doesn’t. And so you’re trying to attack, with logic, an intangible feeling that people have about you. And if you think about elections, people will say, well, I just didn’t like that candidate. Doesn’t have anything to do with what they thought or what their platforms are. It’s a feeling. And unfortunately, trust, I think, in corporate executives can be similar. So there’s probably going to have to be both the exercise of trusting the executive and then trusting the company and the product. And that’s a multifaceted, multi-pronged effort that they’re going to have to undertake.

Stacy (19:04)

Yeah, not an overnight fix.

AMM (19:06)

At Reputation Nation, we’re not just here to comment on the headlines. We’re here to give you real actionable insight. That’s why we close every series with our fast four, four key takeaways you can apply when it’s time to litigate and communicate. 

Number one, deflection isn’t a defense. In a crisis, accountability builds trust. Deflection destroys it. If you have to deflect, know it’s a stall, not a long-term solution.

Stacy (19:28)

Number two, bankruptcy does not erase accountability. The court may clear the balance sheet, but the reputational debt remains.

AMM (19:35)

Number three, if data is the product, law has to be the foundation. The more personal the data, the more unforgiving the court of public opinion and the court of law may be.

Stacy (19:45)

Number four, Trust is the first thing to go and it’s the last thing to return. People won’t just question what you did. They will question everything you say next.