The 23andMe Bankruptcy and Genetic Data Security

For millions of people who embraced the ability to conduct DNA testing by mail, this technology represented an exciting blend of cutting-edge innovation and modern convenience. Learning new information about their ancestry even allowed many customers to feel an important sense of heritage and connection to the past. But when the news emerged in late March 2025 that testing giant 23andMe was declaring bankruptcy and planned to auction off its assets – potentially including that all-important genetic data – customers got an unexpected taste of the future.

Regulation lags reality for genetic data

23andMe does have a privacy policy stating that no personally identifiable genetic data will be sold or released without customer consent. But that policy can be changed, and there is great uncertainty over who will acquire the data and how they will use it. 

What may come as a surprise to customers is how weakly regulated their genetic data is. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers and insurers – but not companies with a business model like 23andMe. The Genetic Information Nondiscrimination Act provides some protections, as do patchwork state-level laws, but gaps remain. For instance, there is no federal law prohibiting life insurance providers from discriminating on the basis of genetic data. 

According to sociologist Alondra Nelson at the Institute for Advanced Study:

We have gotten 20 years into this industry, and we are about to have a major exchange of 15 million sets of people’s data, and we have still not figured out policies that are protective for people.

It's safe to assume, however, that there soon will be more regulation covering genetic data, and that it will probably create some novel compliance challenges. When companies adjust to new regulatory realities – asking for consent to collect data under GDPR, for instance, or setting up continuous monitoring of customer payment information for PCI 4.0 – they tend to do so within the framework of familiar types of sensitive data. However, genetic data is different from standard types of Personally Identifiable Information (PII) and Personal Health Information (PHI) in ways that can make it difficult to identify and manage.

Non-standard PII and PHI beyond genetic data

So, we’ve established that security and privacy issues surrounding genetic data are only going to become more significant, and this may raise concerns about your individual privacy. But what is the lesson here for enterprise organizations that don’t directly handle genetic data? Why should you care if your company isn’t one of the relatively few doing business in this area? 

The reason is that genetic data is just one representative example of a type of non-standard sensitive personal information that is steadily becoming more widespread and important. Other types of data that fit into this category include: 

Biometric data

• Fingerprints
• Retinal scans

Fitness and personal health app data

• Heart rate
• Sleep
• Menstrual cycle
• Blood sugar level

Facial recognition data

We live in a world in which companies are continually finding new uses for all kinds of data that shed light on our spending habits and day-to-day needs. For organizations that deal with any of these or other emerging data types, it is critical to be able to reliably identify and secure this data – regardless of whether the law requires it yet. We owe our customers the resolution to act as good stewards of their private data.

Forcepoint provides data security for emerging sensitive data formats

Forcepoint data security solutions are ideally suited to protecting non-standard PII and PHI, both proactively identifying it and blocking its exfiltration. To start with, Forcepoint Data Security Posture Management (DSPM) scans data-at-rest in repositories across your organization, using the groundbreaking AI Mesh engine to improve classification accuracy. This yields a complete view of all sensitive data to be found across your organization, and the AI Mesh can be trained to better understand your unique data holdings, including unconventional types of PII.

For continuous monitoring of your data to prevent breaches, Forcepoint Data Detection and Response (DDR) extends protection to data-in-use. This solution employs automation to dynamically respond to threats and stop data loss, securing sensitive data even in non-standard formats.

Finally, Forcepoint Data Loss Prevention (DLP) watches over data-in-motion and applies controls to prevent it from exfiltration and loss. This includes out-of-the-box compliance for over 80 countries, with a library of over 1,700 pre-defined policies and classifiers to streamline compliance. This allows organizations to quickly orient data security policies to new regulations and to meet the highest standards for both security and compliance.

Taken together, these three solutions offer protection for data throughout its lifecycle, with the ability to adapt to emerging and non-traditional forms of sensitive data. No matter what kind of PII or other sensitive data you use to meet your business objectives, Forcepoint solutions empower you to protect your customers’ privacy and achieve a strong data security posture in a rapidly changing world.

Talk to anexpert if you’re ready for a trial of a Forcepoint solution.