Why would 23andMe face any criminal liability? Per the article, they were never breached; only individual accounts with reused credentials exposed in other breaches. They should have had 2FA, but I don't think not having 2FA should be criminalized.
If a bank allowed people to log in to their bank account and make transfers based on only email+password and someone stole money from a bunch of accounts, would the bank face any criminal liability?
I don't know the answer, but I would say your DNA sequence should be secured similarly to your bank account.
I don’t know about criminal liability, but they’re certainly at fault for not implementing a check against known compromised passwords[1]. I believe it’s been an accepted best practice since something like 2017.
