23andMe said it didn’t find any evidence of a “data security incident” in last week’s leak, a distinction it drew because the information hackers gathered was available to opted-in users. But putting the burden on consumers to protect their own sensitive data with strong passwords and careful management is wrongheaded, said Suzanne Bernstein, a law fellow at digital rights nonprofit Electronic Privacy Information Center.
“If 23andMe is collecting, storing and processing a tremendous amount of very highly sensitive personal data, I think at the end of the day they should take responsibility for that,” she said.
The solution, according to Bernstein, is not to expect consumers to evaluate each company by sifting through long and hard-to-understand privacy policies — but for lawmakers to pass and enforce tough privacy and security rules that companies can’t wriggle around.
Read more here.