The Direct-to-Consumer (DTC) genetic testing market is a massive biotechnology industry. Millions of people take at-home genetic tests for many reasons, ranging from pure curiosity to learning about a person’s genetic predispositions for diseases. This industry is one of many great accomplishments of modern science because it sequences a person’s genome and provides useful results to that person. The cornerstone of the DTC genetic testing industry is data collection. But this is not normal data collection. This is data collection of peoples’ genomes. Genetic information is immutable information, and as such, it must be safeguarded. However, current laws largely do not regulate this industry in regard to securing and sharing genetic data. And self-regulation of an industry dealing with precious data could prove harmful to people who use this industry.

Databases get breached, and information gets stolen. But instead of having one’s credit card number stolen, a person whose data is stolen from a genetic testing database may have his or her entire genome stolen. Even worse, that data in the wrong hands can do unthinkable harm. This Note explains how this industry trades genetic data like any other commodity, and how current laws do not regulate the DTC genetic testing industry to an appropriate extent. It then argues that this industry must be regulated to protect its consumers. This Note proposes a federal law with a two-part solution. First, customers who experience harm as a result of a genetic data breach must be permitted to seek recovery for such harms, regardless of whether the DTC genetic testing industry was negligent. Second, this industry must be regulated by incentivizing appropriate security and deterring subpar security practices.