We previously alerted readers to the fact that the most recent data compromise of 23andMe exposed data related to Ashkenazi Jews and individuals of Chinese descent. It is reported by Ars Technica, citing TechCrunch, that “nearly half of 23andMe’s 14 million users’ [information] was hacked,” estimated at 6.9 million users.

23andMe is notifying affected users. It has also been sued in multiple class action suits in the U.S. and Canada.

23andMe is now telling users whose information was compromised that suing is futile, which is pretty accurate. Notwithstanding the legal defenses to the suits, which we will not comment on, the practical reality is that plaintiffs who sue companies following a data breach usually do not receive any compensation for the compromise, unless they are named plaintiffs. Plaintiffs may receive extended credit monitoring, or have the ability to make a claim to get paid a minimal hourly rate for the time expended to respond to issues of identity theft, but damages are unheard of and elusive.

Realistically, the winners in a data breach class action suit are the lawyers–the lawyers who represent the plaintiffs receive significant fees for bringing the action–and the lawyers defending the companies may also get paid significant amounts.  Our point is that consumers do not understand that in class action data breach cases, they are just not going to see dollar signs in damages. So, although 23andMe is getting some negative publicity for sending a letter to plaintiffs’ lawyers explaining that bringing suit is futile, the reality is, that for consumers, that position is accurate.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.