> “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures”
In all honesty, you can hardly make this claim unless they properly communicated and mandated (at least in writing, since I can't imagine how it could be actually enforced) that users chose/pick passwords different from other platforms. Or at the least enforce an aggressive password change schedule, etc...
And even commercial broadband services.... In full disclosure I worked as a supplier to implement MPTCP on the CPE for BT at the launch of their service (time marker 1:48 starting point) : https://youtu.be/eMKAFWy6940