The need for privacy is in our genes
The challenges of protecting genetic data are numerous.
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Two-thirds of healthcare organizations were hit by ransomware in the past year.
- Smart glasses have been turned into a doxxer’s dream device.
- How to design a US data privacy law.
But first: With DNA testing company 23andMe in crisis and its fate uncertain, the issue of genomic privacy is back in the headlines.
If you only read one thing:
23andMe and the importance of privacy for genetic data
Last month, all seven independent directors of personal genomics company 23andMe resigned following a protracted negotiation with founder and CEO Anne Wojcicki, who plans to take the company private.
This quarrel over the future of the company comes a year after a major data breach affecting half of its customers, with data accessed including raw genotype data, health predisposition reports, and carrier-status reports. The attack led to a class-action lawsuit the company has agreed to settle.
Meanwhile, the at-home DNA testing and genealogy market has lost its shine; most of the potential customers interested in tracking their ancestry may have already done so. 23andMe’s launch of a new subscription service with comprehensive genetic testing, regular blood screening, and access to a clinical care team, has failed.
This all leads one to wonder what will happen to 23andMe’s genetic data. In settling the class-action suit, the company agreed to implement (minimal) cybersecurity measures – mandatory two-factor authentication, annual reviews – to help prevent such an attack happening again, but it’s hard not to look at its diminished finances and board exit and wonder whether cybersecurity will be getting the attention it needs.
Genetic data is different, and requires different protections
DNA and genetic data are uniquely vulnerable. Each DNA sequence is unique (with the exception of identical twins) so it cannot be anonymized the same way as other types of data. You can’t reset it or request a new version of your DNA if it is accessed, like you can a password or passport number. It doesn’t get much more personal, and more immutable.
Genetic data is also intertwined, leading to complicated notions of consent. When the genetic data of one individual is processed for any purpose, the sensitive data of all related individuals is also processed, whether or not they have provided consent. That 23andMe hack discussed above initially involved the brute-force attack of 14,000 user accounts, but this soon expanded to 6.9 million users, who were related to those initial victims.
In a blog post from earlier this year, the Federal Trade Commission said protecting biometric data, including genetic data, was a top priority. Among other recommendations, the agency said companies should secure genetic data and user accounts.
The legal landscape for genetic privacy
FTC enforcement is welcome, as it is clear these services are security laggards. But what does the law, in the United States and elsewhere, have to say?
- The US has the Genetic Information Nondiscrimination Act (GINA), a non-discrimination law that restricts the access of issuers of health insurance and employers to individuals’ genetic information. The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy by restricting the sharing of patients’ medical information, though this restriction only applies to “covered entities” and “business associates” of covered entities, excluding online genetic testing companies and genealogy websites.
- The GDPR includes genetic data in its definition of a special category of data requiring additional protections.
- And in Australia, there exists a patchwork of laws protecting genetic data. The Australian Federal Government agreed in principle to amending the Privacy Act to include genomic (genetic) information in the definition of sensitive information, but this amendment was unfortunately not part of the first tranche of changes to the Act introduced last month.
I have personal experience in this area. Six years ago, following a health issue, I sought genetic testing at an Australian hospital to see whether I carried a gene that would mean a higher risk factor for my family. Because I work in the data privacy field, naturally one of my first questions was: what happens to my genetic data once the test is done? “It’s added to the hospital’s drive”, I was told. Unencrypted, available for anyone in the system to access for whatever purpose, with no opt-out clause, and no oversight.
The advent of AI has made genetic testing routine, and it is hard to imagine this rate of progress will reduce over time. As well as providing benefits at the individual level, there are also significant societal benefits from genetic testing.
But how do we balance the benefits against the privacy risk?
What do we lose when we have no legislative framework to protect this data? Because of the interconnectedness of genetic data, its uniqueness, and its immutable nature, it needs to be protected so we maintain control over the data. Otherwise, we lose control of what makes each of us unique.
🕵️ Privacy & governance
NASA has been revealed as a customer of controversial facial recognition company Clearview AI.
A pair of Harvard students added facial recognition to Meta's smart Ray Ban glasses, allowing them to automatically look up someone’s face and identify them, then pull other information about their subject from around the web, including their home address, phone number, and family members.
2025 will begin with five more US state privacy laws going into effect, with Delaware, Iowa, Nebraska, New Hampshire and New Jersey joining the privacy patchwork party.
Related to this month's editorial, the issue of neural privacy is becoming urgent, as California signs a bill into law.
The Office of the Victorian Information Commissioner ruled that the Victorian Department of Families, Fairness and Housing breached privacy through the use of ChatGPT, when a worker used the Generative AI platform to produce a Protection Application Report (PA Report) – a report that is submitted to the Children’s Court to inform decisions about whether a child requires protection.
Opinion: How to design a US data privacy law.
🔐 Security
An extortionist armed with a new variant of MedusaLocker ransomware has infected more than 100 organizations a month since at least 2022, according to Cisco Talos
Two-thirds of healthcare organizations have been hit by ransomware in the last year, according to a new survey.
Cybersecurity giant Fortinet has confirmed it suffered a data breach, following a threat actor's claim to have stolen 440GB of files from the company’s Microsoft SharePoint server.
The personal data of Australia's national security officials is at risk of being on-sold to foreign actors, according to a new report.
An interesting essay arguing "cybersecurity awareness" won't improve employee cybersecurity habits, and instead, we need to focus on "cybersecurity UX" and making it easy for employees to make secure choices.
Why Australian businesses are most vulnerable from within.
Nearly half of Australian businesses dread cloud breaches hindering ops.
The latest from RecordPoint
📖 Read:
The essential guide to implementing risk management frameworks.
Case study: How Historic Environment Scotland transformed its physical records management to improve GDPR compliance
Case study: how the Department for Correctional Services – South Australia reduced file processing times, improved information accessibility, and lowered operational costs thanks to RecordPoint.
As educational institutions around the world digitize their operations — many of them through Google Workspace for Education — there has been an increased need for comprehensive data governance. We explore the most common challenges schools and universities face with data governance, and how RecordPoint can help tackle them.
🎧 Listen:
SPECIAL EDITION: Cassie Findlay, Principal at elevenM Consulting, and Chris Brinkworth, Director at Civic Data, join Anthony and Kris for an analysis of the first tranche of reforms to Australia’s Privacy Act.
During their conversation, they discuss the newly established tort and its many implications for Australian organizations, the Children’s Online Privacy Code, the requirement for transparency about automated decision-making, and the steps every organization should be taking to prepare for the reforms both in tranche one, and the upcoming tranche two.
