12 June 2026
When California sued 23andMe over its 2023 breach, the headlines focused on the extraordinary sensitivity of the information involved. Genetic data, health reports and family relationships represent some of the most personal information people can disclose. Yet the most interesting aspect of the lawsuit lies elsewhere. The allegations do not centre on sophisticated attacks or previously unknown vulnerabilities. They focus on whether the company exercised reasonable care.
That distinction matters because it shifts the discussion away from perfect security and towards due diligence. No organisation can guarantee immunity from cyber attack. Regulators and courts understand that. The question people ask is whether an organisation took sensible precautions and responded appropriately when warning signs appeared.
According to the allegations, 23andMe failed to implement measures that other organisations now regard as routine. Multi-factor authentication remained optional, despite years of warnings about credential stuffing attacks. The lawsuit also alleges that the company failed to investigate suspicious activity promptly and reacted only after stolen data appeared for sale and extortion demands emerged. Whether those allegations ultimately succeed remains a matter for the courts, but they reveal something important about the nature of modern cybersecurity expectations.
Small businesses sometimes assume that they cannot hope to meet the standards expected of large technology companies. In reality, many of the controls under discussion require good habits rather than enormous budgets. Multi-factor authentication, strong passwords, patch management, backups, supplier oversight and incident response procedures have become ordinary aspects of responsible administration. They do not require thousands of employees or dedicated security departments.
In many respects, the lawsuit serves as a reminder that governance failures often cause more damage than technical shortcomings. Organisations rarely collapse because they failed to anticipate a previously unknown vulnerability. They encounter trouble when they ignore familiar risks or delay obvious responses. Basic controls may lack glamour, but they continue to provide the greatest return on investment.
This should encourage smaller organisations rather than discourage them. A well-run practice with twenty staff may demonstrate stronger security governance than a company hundreds of times its size. Good security does not arise from complexity. It arises from paying attention, documenting decisions and responding promptly when circumstances change.
Homeowners provide a useful analogy. Nobody expects a person to make a house impossible to burgle. Society expects people to lock doors, maintain smoke alarms and deal with hazards once they become aware of them. Cybersecurity works in much the same way. Due diligence does not demand perfection. It demands reasonable and timely action.
The 23andMe case therefore offers a lesson that extends far beyond genetic testing. Organisations should spend less time searching for perfect security and more time asking whether they have exercised proper care. Regulators and customers expect evidence that management recognised risks, implemented sensible controls and acted responsibly when events unfolded.
For small businesses, that standard remains demanding, but it is also attainable. The goal has never been to prevent every breach. The goal has always been to demonstrate that the organisation took its responsibilities seriously.
