As incident response and public relations go, blaming victims for your breach is generally not an impressive strategy. Michael Edgar reports that 23andMe seems to be doing exactly that:
Months after the San Francisco based company experienced a data breach impacting about 6.9 million users, 23andMe is now facing criticism for blaming victims of the breach and discouraging legal action.
The crux of the argument from 23andMe is an interpretation of the California Privacy Rights Act (CPRA) which requires businesses to implement procedures for collecting sensitive data. The law, however, remains vague on what constitutes reasonable security.
23andMe therefore claims in an open letter that it is not responsible for any security breach, and rather contends that users who “negligently recycled and failed to update their passwords,” after past security incidents bear responsibility.
Read more at Digit.fyi.