On Tuesday December 22, the U.S. Department of Homeland Security issued a business advisory to American businesses warning them of the risks associated with the use of data services and equipment from firms linked to the People’s Republic of China (PRC).
According to Acting Secretary of Homeland Security Chad F. Wolf, “For too long, U.S. networks and data have been exposed to cyber threats based in China which are using that data to give Chinese firms an unfair competitive advantage in the global marketplace.” “Practices that enable the PRC government to gain unauthorized access to sensitive data – both personal and proprietary – put the U.S. economy and businesses in the position of having a direct risk of exploitation. We urge businesses to exercise caution before entering into any agreement with a PRC-linked firm.”
This advisory highlights the persistent and increasing risk of PRC government-sponsored data theft due to newly enacted PRC laws that can compel PRC businesses and citizens – including academic institutions, research service providers, and investors – to take actions related to the collection, transmission, and storage of data even though these actions run counter to principles of U.S. and international law and policy.
The advisory lists six types of situations that pose risks to U.S. businesses or individuals when engaging in data sharing with PRC firms or entities: data centers owned or operated by PRC firms; foreign data centers built with PRC equipment, joint ventures, legally acquired data augmenting illicitly acquired data, software and mobile device applications owned or operated by PRC firms, fitness trackers and other wearable electronic devices.
The advisory recommended that “businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data— whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information. Businesses should identify the sensitive personal and proprietary information in their possession. To the extent possible, they should minimize the amount of at-risk data being stored and used in the PRC or in places that PRC authorities can access.”
In particular, DHS provides a list of examples of the types of data that should be considered particularly sensitive:
1. Technology and other data in connection to export-controlled products.
2. Intellectual property, including trade secrets, relating to emerging technologies identified in China 2025 and other PRC plans.
3. Biotech, genomic data, and medical test data.
4. Personally-identifiable and other sensitive information.
5. Geolocation data.
Source: U.S. Department of Home Security, December 22, 2020