We previously alerted readers to the fact that the most recent data compromise of 23andMe exposed data related to Ashkenazi Jews and individuals of Chinese descent. It is reported by Ars Technica, citing TechCrunch, that “nearly half of 23andMe’s 14 million users’ [information] was hacked,” estimated at 6.9 million users.
23andMe is notifying affected users. It has also been sued in multiple class action suits in the U.S. and Canada.
23andMe is now telling users whose information was compromised that suing is futile, which is pretty accurate. Notwithstanding the legal defenses to the suits, which we will not comment on, the practical reality is that plaintiffs who sue companies following a data breach usually do not receive any compensation for the compromise, unless they are named plaintiffs. Plaintiffs may receive extended credit monitoring, or have the ability to make a claim to get paid a minimal hourly rate for the time expended to respond to issues of identity theft, but damages are unheard of and elusive.
Realistically, the winners in a data breach class action suit are the lawyers–the lawyers who represent the plaintiffs receive significant fees for bringing the action–and the lawyers defending the companies may also get paid significant amounts. Our point is that consumers do not understand that in class action data breach cases, they are just not going to see dollar signs in damages. So, although 23andMe is getting some negative publicity for sending a letter to plaintiffs’ lawyers explaining that bringing suit is futile, the reality is, that for consumers, that position is accurate.