Genetic Data Privacy

The Lyon Firm is actively involved in Personal Data Misuse Class Action Lawsuits on behalf of consumers nationwide.
Nationwide Success

Data Privacy Lawyer

investigating DNA testing violations and genetic data theft cases

It’s a scary thought, but somebody may be manipulating your genetic data for malicious purposes right now. It may sound like science fiction, but it’s simply a more advanced form of identity theft.

The reality of genetic data misuse is still relatively new, and lawmakers are scrambling to pass consumer data privacy protections. Meanwhile, DNA and other genetic data may be stored improperly by various companies and potentially compromised, leading to various risks and new litigation.

The Lyon Firm is actively investigating genetic data privacy violations and other forms of personal data theft on behalf of plaintiffs nationwide. Data breach incidents and identity theft can leave individuals vulnerable now and in the future, and legal action may be necessary.

Genetics & DNA Privacy Violations

Your genetic code is considered part of your personal protected health information, and should be treated as such by health providers and DNA testing companies. There have been recent concerns about sending DNA samples to genetic testing agencies who may be sharing your genetic data with researchers, law enforcement, or even criminals.

It is now big business–sending out saliva samples to genetic testing companies such as 23andMe and Ancestry–to learn more about ancestry and personal health. But the privacy of DNA tests are poorly understood. Most individuals, in fact, don’t understand the risks of a DNA test and the importance of genetic privacy.

Because there is a lack of DNA data protection for consumers, companies have been writing their own privacy policies that don’t necessarily protect the consumer from genetic privacy violations.

DNA Data Protection

The Genetic Information Nondiscrimination Act (GINA) prevents employers from discriminating against individuals based on genetics. But the law does not regulate third-party companies and how private entities can collect, store and sell genetic data. It may be possible to have your DNA test results and genetic information deleted by 23andMe and other sites, but the data may have already been leaked for millions of consumers.

The companies that provide DNA testing services have had control over a consumer’s genetic information for years without oversight. Genetic testing companies may use your personal information internally or sell the information to outside researchers without additional consumer consent. The storage alone of genetic data can be problematic in the increasingly likely event of a data breach.

MyHeritage was hacked in 2018, and while DNA data was not stolen, the threat leaves consumer safety advocates wary of genetic privacy protections.

Consumer safety attorneys are taking on new class action data privacy violation cases every day. While companies collect, store, share, and sell your personal data, consumers often see their privacy compromised.

Personal data security may take a backseat to company profit and growth, and instances of data misuse are increasingly common. There are many new questions surrounding what companies can legally do with data they collect from their clients, but only a handful of states have actually signed consumer data privacy protections into law.

Personal data privacy violations can be the basis for class action data misuse lawsuits, and The Lyon Firm aims to protect consumer privacy rights. If you have been the target of data theft, personal data misuse or data privacy violations, call for a free consultation. You may be eligible to join existing data privacy class actions and compensation may be available.

Personal Data Privacy

Companies often take advantage of consumers by presenting a long, unreadable privacy policy on websites and apps. The end result is consumers signing away their personal data for nothing in return, except to use a website or media platform. Opting out of data collection may be difficult or impossible in some cases.

Not only is personal data collected and sold by certain companies for profit, but it is not always properly secured, and data breaches lead to data theft and a host of data privacy violations. Cyber security lawsuits are a growing trend in the legal world, and personal data privacy class actions may be necessary to hold companies accountable for instances of data misuse and data theft.

There are many ways in which personal data can be leaked, stolen or misused by third parties. Data breaches can be very costly to everyone involved, and legal action may be a logical course of action.

Consumer Data Privacy Laws

As of 2021, there is no federal legislation in the United States that addresses consumers’ data privacy concerns. There are laws such as HIPPA (personal health privacy), Gramm-Leach-Bliley (financial privacy), and COPPA (children’s online privacy) that establish industry-specific standards, but nothing that encompasses the full scope of online privacy matters.

There are, however, some state laws that may be the model for future federal data collection regulations, including personal data privacy and cybersecurity regulations in California, Illinois and Virginia.

consumer data protection law

The Biometric Information Privacy Act (BIPA) is one of the most modern examples of state legislation intended to regulate companies’ use of biometric data. Some of the more important provisions of the privacy law include:

  • Requirements for companies to seek informed consent prior to collecting personal biometric data
  • A limitation of rights to sell or disclose collected biometric data
  • A requirement for companies to create confidentiality and data retention guidelines
  • A prohibition of profiting from collected biometric data
  • The right of legal action for individuals affected by data theft violations
  • Enacting damages from $1,000 to $5,000 per negligent or reckless violation.

Not only do some states regulate a business’s use of biometric data, but they allow for individuals to bring legal action against companies that violate state biometric data laws. In January 2019, the Illinois Supreme Court ruled that private individuals can file data theft claims if they are able to show that their privacy rights have been violated.

The Illinois statute prohibits an entity from collecting biometric information unless it fulfills the following:

  • Informs individuals in writing that their biometric data is being captured
  • Outlines the purpose and period of time for which the data will be utilized
  • Receives a written release from individuals consenting to the data collection

Other states have been scrambling to catch up with modern advances and have been slow to provide biometric policies.

DNA Data Privacy & Genetic Data Identity Theft

If your biometrics or genetic data are stolen, some savvy fraudsters may be able to wreak havoc in your life. Your genetic code and your biometric information are set in stone, so to speak, and cannot be changed like your credit card number or site passwords. The manners in which this kind of data can be manipulated is still largely unknown, but it is certain that individuals must have consumer protections in place.

Data privacy experts say genetic information could be used in medical identity theft and insurance fraud schemes. Genetic information could also be used against individuals in a court case, where DNA is found at a crime scene. Law enforcement agencies have already been using genetic data to identify suspects.

The bottom line is that consumers must have complete control over their genetic data with few exceptions. In the very least, companies should have your written consent before collecting, storing and distributing your DNA.

genetic data privacy lawyer

Genetic Data Sharing Laws & Privacy Protections

In 2008, the Genetic Nondiscrimination Act was passed. The GINA prevents health insurers from denying coverage or raising prices based on genetic predisposition to certain health conditions. The GINA was insightful for the time, but more legislation is needed to protect the consumer.

Since there has not been a federal law that properly encompasses genetic data theft concerns, some states have been leading the charge.

The Genetic Information Privacy Act (GIPA), and other state statues supplement existing federal and state laws governing genetic information:

  • Entities who engage in the collection of genetic data (any data that results from an analysis of a biological sample or an equivalent element from a consumer that concerns genetic material–including DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, and SNPs) must provide consumers with a complete summary of its genetic data privacy practices.
  • By law, consumers must have access to information regarding the company’s use, maintenance, and disclosure of genetic data. Companies must display a privacy notice which outlines information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices.
  • Under GIPA, companies must get express consent for the collection, use, and disclosure of genetic data. Separate consent must be obtained for the storage of a biological sample after initial testing, use of genetic data beyond the primary purpose of the testing, or transfer of genetic data to a third party.
  • Companies who collect and store DNA and genetic data must implement and maintain reasonable security practices designed to protect a consumer’s genetic data.
  • Under GIPA, individuals must be able to delete their account or genetic data, and destroy biological samples. Much of the new legislation is aimed at limiting the sharing of genetic data with insurers and employers and requiring consent before genetic data can be shared with any third parties.

How do Companies Handle Genetic Data?

Companies and healthcare providers may share customer data on an opt-in basis, and around 80 percent of 23andMe customers agree to participate. Do consumers know what this means, however? 23andMe is a valuable resource in the work of collecting genetic information, but the privacy risks remain.

Testing companies share data only with explicit consent but other companies allow anyone to upload genetic information to search for relatives. Sharing one individual’s data is opt-in, but what about your family? There is no system in place to protect the genetic privacy of relatives. This is one step on a dangerous path, especially when there have been calls for national forensic DNA databases that may store data for all citizens.

The risk of data theft following data breach events is rising rapidly, with more and more data breach incidents every year. No type of personal information is spared, and DNA privacy is more important now than ever.

DNA Collection & Data Privacy Lawsuits

Unfortunately, protecting your personal data is not a primary concern for most hospitals or companies, which is why some accountability is necessary. When faced with lawsuits, companies are much more likely to comply with consumer rights.

Genetic data privacy is more important than many believe, and in order to prevent cases of data theft and identity theft, more litigation is necessary. Criminals are now able to use small amounts of personal data for large gains. These damages can be substantial and long-lasting. Genetic data theft may prevent consumers from accessing banks loans, education, housing, and health insurance.

The benefits of genetic testing privacy and DNA collection regulation is obvious, but the public needs to put more pressure on companies who store their genetic and biometric information to ensure their privacy rights.

To learn more about data privacy law and current litigation, contact the Lyon Firm for a free and confidential case review. Joe Lyon takes pride in fighting for consumer rights, and holds companies accountable when their negligence causes financial losses and other damages.


Please complete the form below for a FREE consultation.


Joseph Lyon has 17 years of experience representing individuals in complex litigation matters. He has represented individuals in every state against many of the largest companies in the world.

The Firm focuses on single-event civil cases and class actions involving corporate neglect & fraud, toxic exposure, product defects & recalls, medical malpractice, and invasion of privacy.


The Firm offers contingency fees, advancing all costs of the litigation, and accepting the full financial risk, allowing our clients full access to the legal system while reducing the financial stress while they focus on their healthcare and financial needs.

photo of data privacy attorney Joe Lyon
Reviewing Data Theft & Data Misuse Claims

Why are Data Privacy Cases important?

Without personal data privacy violation class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty. By holding companies accountable for safely storing your personal information, every consumer will have more control over how their data is used in the future. 


Questions About Data Privacy Lawsuits

What to do if you are a victim of data Misuse
  1. Get confirmation of the data theft or misuse and collect as many details about the incident as possible. 
  2. Contact an attorney to investigate the complex litigation involved in data privacy lawsuits. 
  3. Try to find out what information was exposed and protect yourself as much as possible. 
  4. Talk to an attorney before accepting any settlement direct from a company. 
  5. Monitor your accounts and personal information closely. 
Can I get compensation for data theft?

Yes, in most cases. However, each case is different, but some recent lawsuits have proven to be quite valuable. In one data theft suit, Ohio Attorney General and attorneys general in other states obtained a $17.5 million settlement against The Home Depot due to a data breach in 2014. The settlement resolves a multistate data breach which exposed the payment card information of approximately 40 million Home Depot consumers.

The Home Depot data breach made vulnerable the company’s self-checkout point-of-sale system. In addition to the $17.5 million settlement, The Home Depot has agreed to improve network security and maintain data security practices in order to strengthen its data security program and protect the personal information of consumers.

Who is liable for data misuse?

Under current privacy law the firm or organization that is storing user data are responsible for data breaches and will pay any fines or damages that are the result of legal action. The actual data holder—an organization that provides cloud storage—is not usually legally implicated or held responsible in litigation. 

How can I prevent data misuse?

It’s not as easy as just alerting companies to stop collecting and selling your personal information, but you can take certain steps to protect yourself, including:

  • Opt out of data collection practices if possible
  • Review your credit report
  • Use strong and different passwords for all of your accounts
  • Do not offer your personal information unless necessary
  • Check bank accounts for suspicious activity
  • Limit how exposed you are on social media
  • Speak with a cybersecurity attorney
What is a Class Action Lawsuit?

A Class Action is a lawsuit brought by an individual on behalf of all other similarly situated individuals. Rule 23 of the Federal and State Rules of Civil Procedure allows for Class Action lawsuits to resolve disputes in an efficient format.

Class Actions are typically filed when the amount of money in dispute for a single plaintiff would not justify litigating the case, but where the amount of damages of the entire class of Plaintiffs would justify the cost of litigation. Without class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

What are class action requirements?

In order for a case to be certified as a Class Action, the Court must determine that the case is appropriate for class action treatment under Rule 23. There are different elements depending on whether the case is seeking monetary or injunctive relief. In general, the Court must find the following elements are satisfied:

  • Numerosity: The proposed class must be so numerous that simply joining the individual plaintiffs would be impractical. Generally, the class size should exceed 100 individuals.
  • Common Questions of Law or Fact: The facts and/or legal questions in the dispute must be common to all class members. This does not mean all facts or issues must be identical, but the primary facts and law that will determine the issue in dispute must be common among all class members.
  • Typicality: The named Plaintiff in the case must have the same facts and legal issues as the class they are proposing to represent. If the Plaintiff’s individual case involves issues of fact or law unique to that Plaintiff and are irrelevant to the ultimate issue, class certification may be denied by the Court.
  • Plaintiff/Counsel Adequately Represents the Class: The Court must find that the Plaintiff and Plaintiff’s Counsel are competent and will protect the class’ interests.
  • Predominance: Common questions of fact predominate over individual facts.
  • Superiority: The Class Action is a more efficient and fair means of resolving the dispute. The Court will look at the following factors when making this determination: (1) Class Member interest in maintaining a separate action; (2) the extent of any litigation already begun by other class members; (3) desirability or undesirability of litigating the case in a particular Court ; (4) difficulties in managing the class.
When Should I contact The Lyon Firm?

Protecting sensitive personal information is getting more and more difficult, but that doesn’t mean it’s not possible. By forcing companies to become accountable for their lack of cybersecurity measures following data misuse and data breach incidents, consumers will have a more secure future.

Large companies control vast amounts of data, leaving nearly all Americans at risk when their personal data is compromised. If your financial, medical, or consumer information is misused, you may file a data privacy violation claim.

Your Right to Justice

Learn About the Legal Process

Filing Class Action lawsuits is a complex and serious legal course and can carry monetary sanctions if proper legal course is not followed. The Lyon Firm is dedicated to assisting injured plaintiffs work toward a financial solution to assist in compensating for medical expenses or other damages sustained.

We work with law firms across the country to provide the most resources possible and to build your case into a valuable settlement. The current legal environment is favorable for consumers involved in data breach class actions, deceptive marketing lawsuits, TCPA telemarketing claims, and financial negligence claims.

data breach lawsuits

© 2020 The Lyon Firm. ALL RIGHTS RESERVED