If your DNA gets stolen, sold, and abused, it is worth $4.35. Even the largest class action lawsuit wins seldom pay double digits to the victims. You have to leave the US to find any meaningful penalties against companies that ignore data security and privacy rights. The price for ignoring these technological aspects can quickly rise to the multi-millions and even billions once the EU or China gets involved.
Thus, let’s examine how we got into the situation of puny fines and what we can do to improve our situation.
The Cost of Class Action Lawsuit
At first glance, the Settlement amount of 30 million USD seems staggering. Yet, it only represents 10% of their 2023 annual revenue. In all likelihood, the company underinvested in cyber-conscious software design for years so that it might represent less than 1% of their income over time. 23andMe has never been profitable and, thus, would call for a lower payment.
Yet, if you look at historical examples, the payment is relatively high compared to the financials. For example, T-Mobile had to pay only 10% of its 2021 profits for a data breach in the same year. For the 2017 data breach, Equifax paid about 10% of its revenue and 50% of its same-year profits.
Thus, 23andMe’s payment puts it squarely in the middle of the pack compared to its revenue. The most significant difference in this case is that it will hurt 23andMe considerably more than Equifax or T-Mobile. Equifax undoubtedly took a hit by losing half its profits, while T-Mobile likely shrugged off the payment more easily.
The American Way: Punishment by Consumers
Yet punitive damages from class action lawsuits are supposed to hold companies accountable. It is the uniquely American way that customers and citizens can hold corporations accountable for following their own contracts and industry best practices by winning company-threatening judgments.
Yet, when organizations can shrug off class action lawsuits, they have little incentive to change. After all, why pay 20 million a year for better cybersecurity practices if a lawsuit every 5-10 years only costs you 30 million? Taking the hit every five years saves you 70 million dollars.
Likewise, giving the consumer a stake might have been an empowering move initially. Instead of a king or the state telling companies how to behave, we can hold each other accountable for our wrongdoings. Yet, once the settlements come in, we are also told that the requirement to monitor our credit for the rest of our lives is only worth a fiver, and our DNA data is worth even less. These discrepancies can quickly turn us off of the system and make us call for more regulations to pre-empt the whole class action setting.
Thus, it is no wonder that some 23andMe customers insist on their right to arbitrate their cases. After all, there is a chance to win a bigger payout and the vindication that your DNA data is worth more than peanuts.
Regulations and Punishment Worldwide
If you look into alternative systems, most of the world relies on the state to punish and prevent data breaches. In the EU, companies can get fined for not following data privacy and cybersecurity practices, even if they haven’t lost any data yet. Most Asian countries can go a step further and close down organizations with cybersecurity practices that represent a risk to society.
Yet, in the US, we cannot even agree on a regulation that requires a minimum amount of cybersecurity experience on the board of directors. How can boards oversee IT risks and cybersecurity culture without understanding the underlying material?
Unfortunately, our aversion to regulation makes punitive damage the only option in American society. It goes hand in hand with our idea of a weak state, but if done right, it can also give us agency over our own lives.
Costs Must Hurt For An Impact
Consequently, we must improve the outcomes for consumers in class action lawsuits. Telling us that live-long credit monitoring is worth less than a bottle of soda doesn’t give us confidence in the system.
Likewise, if we want companies to change their ways, punishments must hurt. Right now, class action lawsuits are no risk to the company but an annoyance to the consumer. If that mentality prevails, we might see a push for a change in our regulatory landscape. Yet, it may be the only way for companies to see their data as valuable and worth protecting.