Skip to main content
Help Center
banner

Bio-Hazard! The Sale of Biogenetic Data in a Bankruptcy Proceeding

Bio-Hazard! The Sale of Biogenetic Data in a Bankruptcy Proceeding

By Andrew E. Arthur

Companies in bankruptcy often attempt to sell assets, including customer data. The sale of customer data can raise significant privacy concerns. Bankruptcy courts often navigate the sale of data to ensure compliance with privacy laws and balance the interests of creditors and consumer rights, especially when data includes personally identifiable information (PII). Legal challenges related to selling customer data in bankruptcy occur when consent for data-sharing has not been obtained because the Health Insurance Portability and Accountability Act (HIPAA) only applies within the health care setting — not when a person’s health information is held by private genetic-testing companies.1

Biogenetic and biotech companies — those that hold DNA data for at least 26 million people2 — have recently been in the limelight due to financial struggles. With bankruptcies looming for commercial DNA companies, there is a growing concern that one’s DNA might fall into the wrong hands and be used for unwanted or unforeseen circumstances. However, with no high-profile bankruptcy case solely centered on genetic data and the sale of one’s DNA emerging as an area of concern, this article analyzes what may happen if a high-profile biotech company, such as a 23andMe, were to file for bankruptcy, and the laws that might have to be used to protect consumer-privacy rights.

Concern with the Sale of DNA Data

In October 2023, there was a 23andMe data breach that targeted specific racial and ethnic persons, exposing genetic information and pictures of users and their locations.3 While the sale of genetic data to a third party might not be as extreme as that of a data breach, there are still other apparent concerns, especially a concern with what insurance companies would do with genetic data, as the data can be central to modeling customer risk. The worry is “that insurance companies will ‘seek out people who are genetically pure, creating a ghetto of the uninsured.’”4

In addition, “[r]esearchers have investigated the link between an individual’s genetics and everything from their financial acumen to their driving ability, perhaps proving of interest to banks considering a loan application or a car insurer considering a new policy.”5 There are still unpredictable or noncommercial concerns, especially as genetic research continues to progress, which makes it important that laws progress with the technology.

Courts Must First Consider the Company’s Privacy Policy Statement in a § 363 Sale

In a bankruptcy, a debtor has the ability to sell free and clear of liens and interests, as long as any one of the five criteria listed in § 363(f) is satisfied, and the interest-holder is provided with adequate protection of its interest under § 363(e).6 Whether § 363(f) will permit the sale of genetic information will depend on the nature of the protection given to that right outside of bankruptcy.7

Under § 363(b)(1), PII may be transferred in bankruptcy unless the debtor has a policy prohibiting such transfer.8 If such a policy was “in effect on the date of the commencement of the case,” such data cannot be transferred unless the sale is consistent with the policy, or a “consumer privacy ombudsman” is appointed and the court (1) considers all the facts and circumstances and (2) does not find that sharing violates nonbankruptcy law.9

A court will have to ask whether the privacy statement “prohibit[s] the transfer of [PII] about individuals to persons that are not affiliated with the debtor.”10 One of the most popular genetic data companies, 23andMe is known to have a strong privacy statement in the event that it does sell a person’s personal information to a third party, especially in a bankruptcy.11 As such, 23andMe’s privacy statement says that

data can only be shared with third parties in limited circumstances: “(a) to comply with [the] legal process or professional obligations, (b) to enforce their Terms of Service, (c) to respond to complaints that [the] content violates others’ rights, [and] (d) to protect the rights and safety of 23andMe. It will not share data with employers, insurance companies or public databases. It will only share with law enforcement if required by law, and they claim they have never done so. And, if they share with a service provider to help with their business, they contractually require the service provider to keep the data confidential.”

While a company can sell genetic data to a third party, if a company has a strong privacy statement (such as the one that 23andMe currently has), then the third party will be bound by the terms of that privacy statement, which will put limits on what can be done with the genetic data.

State Laws and FTC Will Be a Further Line of Defense Against the Unwanted Dissemination of Genetic Data

About 25 states have statutes that provide some form of protection to the privacy of genetic information.12 States take various approaches in restricting the use of biometric data, which reflects how little consistency there is among the states. At least 12 states prohibit the use of genetic information without consent, regardless of how the information had been obtained.13 For example, Illinois became the first state to enact a biometric data privacy law in 2008.14 The Illinois Biometric Information Privacy Act (BIPA) states, “No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure....”15 In 2023, several states proposed bills that were closely patterned after the BIPA imposing similar compliance obligations and providing for the ability for individuals to pursue class action litigation for noncompliance.16

In addition, § 5 of the Federal Trade Commission (FTC) Act protects against deceptive trade practices whereby the FTC acted to enforce privacy promises.17 An example of the FTC’s use of § 5 is In re Toysmart.com LLC,18 whereby the debtor sought to sell customer lists within the bankruptcy after promising prior to the bankruptcy not to do so.19 The FTC sought to enjoin the sale of the customer lists and obtained an injunction, and the sale was ultimately blocked.20

Conclusion

While there are some protections in place to protect a person’s DNA or biometric data within a bankruptcy sale (e.g., a company’s privacy statement), additional protections are needed. State laws need to progress with the speed of the potential uses of the genetic data. As of January 2025, a bill has been referred to the New York Senate Consumer Protection Committee seeking to establish the Biometric Privacy Act in New York, which would set strict guidelines for private entities on the collection, storage, use and disclosure of biometric identifiers and information.21 The bill requires entities to inform and obtain written consent from individuals before acquiring their biometric data, prohibits profiting from this data, and mandates that it be protected with the same or higher standards as other sensitive information.22

As the use of DNA and biometric data is presumed to still be within its infancy stage, more laws will still need to be implemented to fully protect consumer rights. There are currently still protections in place in certain states and with the FTC that would protect DNA or biogenetic data in the event that a company’s database is sold in a bankruptcy, which would protect one’s data would be used for malicious intent. Unfortunately, these protections are unavailable in case of a significant data breach; therefore, a consumer must decide whether keeping genetic data on a company’s database is worth the risk, or whether the consumer would be better off requesting that the data be deleted and completely removed from the database prior to any potential bankruptcy sale.

Andrew Arthur is an associate with White and Williams LLP in New York and concentrates his practice on bankruptcy, restructuring and commercial litigation matters, including the representation of debtors, creditors and other parties-in-interest.

  1. 1 “Legal Expert on How 23andMe’s Financial Struggles Could Impact Customer Data,” ABC News (Nov. 19, 2024), abcnews.go.com/US/legal-expert-23andmes-financial-struggles-impact-customer-data/story?id=115895688 (unless otherwise specified, all links in this article were last visited on Feb. 24, 2025).

  2. 2 Benjamin T. Van Meter, “Note: Demanding Trust in the Private Genetic Data Market,” 105 Cornell L. Rev. 1527 (July 2020).

  3. 3 In re 23Andme Inc. Customer Data Sec. Breach Litig., 2024 U.S. Dist. LEXIS 219622 (N.D. Cal. 2024) (“In October 2023, 23andMe announced that there was a data breach at the company and, as a result, a wide range of sensitive personal information of customers was compromised, ‘including but not limited to name, sex, date of birth, genetic information, predicted relationships with genetic matches, ancestry reports, ancestors’ birth locations and family names, family tree information, profile pictures, and geographic location.’ Cybercriminals had specifically targeted 23andMe customers of Ashkenazi Jewish and Chinese descent, offering their data for sale on the dark web.”).

  4. 4 Van Meter, supra n.2 at *1551.

  5. 5 Id. at *1551-52.

  6. 6 Edward J. Janger, “Genetic Information, Privacy and Insolvency,” 33 J. L. Med. & Ethics 79, *82-83 (2005).

  7. 7 Id.

  8. 8 Id.

  9. 9 11 U.S.C. § 363(b).

  10. 10 David Siffert, “If 23andMe Goes Bankrupt, What Happens to All Our Data?,” New York Law Journal (Jan. 3, 2025), law.com/newyorklawjournal/2025/01/03/if-23andme-goes-bankrupt-what-happens-to-all-our-data (subscription required to view article).

  11. 11 Id.

  12. 12 Janger, supra n.6 at *81.

  13. 13 Id.

  14. 14 “Is Biometric Information Protected by Privacy Laws?,” Bloomberg Law (June 20, 2024), pro.bloomberglaw.com/insights/privacy/biometric-data-privacy-laws.

  15. 15 740 ILCS 14/15(d)(2).

  16. 16 Kyle R. Fath, Kristin L. Bryan & David J. Oberly, “New 2023 Legislative Proposals Could Reshape the Biometric Privacy Landscape,” Nat’l Law Rev. (Feb. 18, 2023), natlawreview.com/article/new-2023-legislative-proposals-could-reshape-biometric-privacy-landscape.

  17. 17 Janger, supra n.6 at *81.

  18. 18 In re Toysmart.com LLC (Bankr. D. Mass. 2000).

  19. 19 Janger, supra n.6 at *81.

  20. 20 Id. at 83.

  21. 21 “New York: Bill for Biometric Privacy Act Referred to Committee,” DataGuidance (Jan. 13, 2025), dataguidance.com/news/new-york-bill-biometric-privacy-act-referred-0 (subscription required to view article).

  22. 22 Id.

please log in to access Journal articles or click here to join ABI.