Genetic testing provider 23andMe is facing legal troubles after a data breach that exposed the personal information of millions of its customers. The company has recently changed its Terms of Use to make it more difficult for customers to sue them, but experts say this may not be enough to protect them from liability.

The data breach occurred in October, when a hacker tried to sell 23andMe customer data on the dark web. The hacker claimed to have data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom. When no buyers were interested, the hacker leaked the data online for anyone to access.

The hacker obtained the data by using credential stuffing attacks, a technique that involves using stolen or leaked usernames and passwords to access online accounts. 23andMe told BleepingComputer that the hacker was able to breach a limited number of customer accounts and then used the features of the website to scrape more data from other customers.

The features that the hacker exploited were the ‘DNA Relatives’ and the ‘Family Tree’ features, which allow customers to find and connect with their genetic relatives and ancestors. By using these features, the hacker was able to collect data for 6.9 million people, including their names, email addresses, birth dates, locations, and genetic information.

The data breach has resulted in several lawsuits against 23andMe, accusing the company of negligence, breach of contract, invasion of privacy, and violation of consumer protection laws. The plaintiffs are seeking damages and injunctive relief to prevent further data breaches.

In response to the lawsuits, 23andMe updated its Terms of Use on November 30th, adding a clause that requires customers to agree to mandatory arbitration for any disputes with the company. Arbitration is a process that involves resolving disputes outside of court, usually with the help of a neutral third-party arbitrator. Arbitration is often faster and cheaper than litigation, but it also limits the rights and remedies of the parties involved.

One of the main drawbacks of arbitration is that it prevents customers from filing class action lawsuits, which are lawsuits that allow a large group of people with similar claims to sue a defendant as a group. Class action lawsuits are often used to hold corporations accountable for widespread harm or misconduct, such as data breaches.

23andMe’s new Terms of Use state that customers must use arbitration on an individual basis to resolve disputes with the company, rather than jury trials or class action lawsuits. The Terms of Use also state that customers have 30 days to opt out of the arbitration clause by sending an email to the company. Customers who do not opt out will be bound by the new terms.

However, some legal experts doubt that 23andMe’s arbitration clause will be enforceable, especially for the customers who were affected by the data breach before the Terms of Use were updated. Nancy Kim, a law professor at Chicago-Kent College of Law, told Axios that 23andMe may have a hard time proving that they gave reasonable notice to their customers about the change in the terms and that they obtained their consent to the arbitration clause. Kim said that 23andMe may face challenges in court if they try to enforce the arbitration clause against customers who sue them for the data breach.