January 5, 2024 at 04:03PM
23andMe denies liability for the leak of users’ genetic records due to credential stuffing, attributing blame to users’ negligent password practices. The company defends against alleged breach of privacy laws, highlighting security features available to users and minimal potential harm from the accessed data. The incident prompts considerations of shared responsibility between users and service providers for account security.
Based on the meeting notes, it is clear that there is a contentious issue surrounding the responsibility for the leakage of genetic records from 23andMe. The company’s lawyers assert that users should bear some responsibility for the data exposure due to negligence in password security, citing the users’ failure to update recycled passwords. They also argue that the stolen information may not have included data that could cause financial harm, thereby attempting to mitigate the severity of the breach.
However, it is also noted that 23andMe had security features available to its customers, such as two-step verification, which could have potentially prevented the breach. The discussion also raises the broader question of where the responsibility lies when credentials leak, with the acknowledgment that both users and service providers share liability.
The meeting notes feature insights from Steve Moore, the vice president and chief security strategist at Exabeam, who emphasizes the need for shared responsibility between users and service providers. He advocates for a customer’s bill of rights that outlines minimum requirements for managing sensitive personal information, such as strong credential checks and adaptive authentication.
In summary, the meeting notes capture the legal arguments and industry perspectives on the issue of responsibility for leaked credentials, highlighting the complex and evolving nature of cybersecurity and liability in the digital age.