With the news that human genetics and biotechnology entity 23andMe has declared bankruptcy, some are concerned with the future of the sensitive data the organization possesses. The company’s assets are currently being sold to the highest bidder, potentially placing the genetic information of customers at risk. 

While the organization assures this will not occur, The Office of California’s Attorney General has urged consumers to reach out and request the organization destroy test samples, delete data, and prohibit the use of their data for research. 

Below, security leaders share their insights on the possible data risks. 

Security leaders weigh in

Gal Ringel, Co-Founder and CEO at Mine:

When a company that’s built on personal data collapses, it forces the entire industry to confront an uncomfortable truth: user trust is fragile. Genetic data isn’t like passwords or credit cards — you can’t reset your DNA. People shared their most intimate information believing it would be protected not just during business-as-usual, but in worst-case scenarios. That kind of trust has to be earned continuously — and preserved even when the business model fails.

The 23andMe case isn’t just about bankruptcy or leadership change. It’s about what happens when the value of data outlasts the company that collected it. Consumers are now asking questions companies should have asked themselves much earlier: Who owns this data? Who controls it during an acquisition? Can it be sold? Should it be? These aren’t theoretical concerns, they’re central to any business working with personal or sensitive data. This is a wake-up call for the tech world to take data stewardship seriously, before it’s too late.

The industry needs to shift from reactive privacy measures to proactive data accountability. That starts with embedding privacy and data lifecycle planning into the foundation of every product and every company, not as a legal afterthought, but as part of the architecture. It’s no longer enough to promise data protection “while operations continue.” Companies must plan for data handling in every scenario, including transitions like M&A, shutdowns, or restructuring.

There should be clear, enforceable standards around what happens to user data when ownership changes — who retains control, how consent is preserved, and what rights users have in that process. Transparency shouldn’t depend on a press release after the fact. If your business is built on sensitive data, your responsibility to protect it should outlast the business itself. The real fix isn’t just better policies. It’s cultural: making data protection a strategic priority, not a compliance issue. That’s how we begin to rebuild trust - not just in one company, but in the tech industry as a whole.

Darren Guccione, CEO and Co-Founder at Keeper Security:

The protection of genetic data requires more than just encryption — it demands strict privacy, access controls and robust identity security. Organizations handling this type of incredibly sensitive data must implement a zero-trust approach with stringent internal controls, ensuring that access is tightly restricted to only those who absolutely need it. Privileged access management is essential to minimizing risk, preventing unauthorized access and limiting the potential damage of a breach. Companies should enforce strong authentication requirements, regularly audit access logs and restrict third-party integrations that could introduce vulnerabilities. 

Organizations storing any personally identifiable information, including attributes of users’ DNA, should meet recognized security certifications such as SOC 2 Type 1 and Type 2 and ISO 27001, 27017 and 27018. These certifications demonstrate that the company has established robust controls covering confidentiality, security, privacy, risk management practices and internal audits to safeguard sensitive data, processes and infrastructure. Regular monitoring and periodic audits are key to ensuring continued compliance. Organizations can implement automated tools and conduct periodic assessments to ensure suppliers are adhering to required standards and regulations. By maintaining recognized security certifications, organizations are upholding high standards of security and compliance, including adherence to international regulations.

Consumers also need to be empowered with greater control over their data, including clear pathways for deletion and visibility into how their information is used. Due to uncertainty over the future of the business, and the data it holds, 23andMe customers should consider contacting the company to have their genetic information deleted.

As an industry, we must push for stronger security and accountability to ensure all genetic data remains protected, regardless of corporate transitions or ownership changes.

Casey Ellis, Founder at Bugcrowd:

This turn of events is an unfortunate, yet timely reminder that, no matter how well or poorly your data is protected at a technical level, it is still subjects to the risk of the company going bankrupt and selling it in ways you cannot control. DNA is “a password the user cannot change” and once it is out, it stays out. Thinking through the risk/benefit trade-off is an important step for users to take, and one that is often overlooked when new technology and services hit the market.

Mr. Piyush Pandey, CEO at Pathlock:

In cases like this, a company’s financial or legal status can put ultra-sensitive personal data — such as genetic information — at risk in ways that existing legal frameworks don’t fully address. Until the government imposes stricter control measures and provides clear guidance on how to handle exceptional cases like this, it's unlikely we’ll see any significant action from companies.

Customers can require 23andMe to delete all the information it holds on them because genetic data falls under the California Consumer Privacy Act (CCPA). The business can face legal and financial consequences if such requests are not fulfilled. If, after submitting a deletion request, a customer does not hear back within 45 calendar days (or continues to receive personalized ads related to their genetic tests) this may signal that their personal data has not been fully deleted and should be seen as a potential sign of non-compliance.