23andMe’s Collapse Raises a Critical Question: What About the Data?

23andMe announced the company has officially filed for bankruptcy, sparking justified concern over the fate of genetic data belonging to 15 million individuals. This news comes on the heels of a devastating data breach in 2023 that exposed the personal information of nearly 7 million 23andMe customers. The situation highlights a crucial yet often overlooked aspect of data security: How sensitive information is protected during corporate transitions such as bankruptcies, mergers, and acquisitions.

As consumers and regulators raise alarms about the potential risks of data exposure, California Attorney General Rob Bonta issued a “consumer alert” regarding the “trove of sensitive consumer data 23andMe has amassed.” Bonta reminded Californians that they have the right to direct the company to delete their genetic data, destroy test samples, and revoke permission for their data to be used in research. 

In response, 23andMe attempted to reassure customers, stating in a media release, “There are no changes to the way the Company stores, manages, or protects customer data.” However, given the company’s recent security failures, many remain skeptical about how well consumer data is safeguarded—especially as the company navigates bankruptcy.

Business Transitions Pose Security Risks

For companies handling highly personal or proprietary data, robust encryption and access controls are not just best practices—they are essential safeguards that can prevent catastrophic breaches, especially in times of organizational instability. Encryption ensures that even if data falls into the wrong hands, it remains unreadable without proper authorization. Access controls dictate who can view or manipulate sensitive data, reducing the risk of internal and external threats. Together, these measures create a security-first framework that protects consumer information regardless of a company's financial status.

In the case of a bankruptcy, data assets may be sold, transferred, destroyed or restructured under new ownership. Without proper encryption and stringent access policies, this process can create major issues. The risk isn't just theoretical: Poor data governance can result in regulatory penalties, loss of consumer trust, and long-term damage to a company’s reputation, as we’ve clearly see witnessed with 23andMe. Organizations should proactively adopt end-to-end encryption and Zero Trust security models to ensure that sensitive data remains protected throughout its entire lifecycle, even if business circumstances change.

Call to Action: Strengthen Data Governance Now

It’s vital to secure sensitive data, whether it’s PII, PHI, payment information, or intellectual property. There will inevitably come a time when that data must be shared—whether within an organization or with external partners. By closely governing data access permissions, leveraging encrypted email, and enabling easy-to-use file security and access controls, businesses can maintain data integrity even in turbulent times. The 23andMe case serves as a reminder that data security isn’t just about preventing cyber attacks, it’s about ensuring that sensitive information remains protected and well-governed under all circumstances — including corporate uncertainty and transition.

If your company deals with sensitive data, now is the time to review and strengthen your security posture. Don’t wait for a crisis to expose vulnerabilities. Whether you’re navigating growth, restructuring, or simply safeguarding customer trust, proactive security measures will protect your most valuable asset: your data.