The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

U.S. Govt Reiterates Data Security Risks Linked to China

by Chris Brook on Monday January 11, 2021

Contact Us
Free Demo
Chat

A new advisory highlights the risk of PRC government-sponsored data theft.

The U.S. government is again reminding American businesses of the inherent dangers of using software and services connected to China.

In an advisory, released shortly before many organizations went on Christmas break last year, the United States Department of Homeland Security (DHS) urged organizations and agencies alike to exercise caution when either working with or interacting with firms based in the People's Republic of China.

Federal entities have of course outlined risks associated with China before but the DHS says this report is largely based on data collection actions prompted by PRC laws already on the books in the country that could press companies there into surrendering data to the government.

Companies may not realize that these so-called "asymmetrical advantages" - the lack of robust privacy laws, IP rights, and human rights protections - could open the door to data theft by "co-opting PRC firms to act as proxies and tools of the CCP," or the Chinese Communist Party.

These actions can have an adverse effect on U.S. businesses' trade secrets, intellectual property, and other confidential business information, DHS warns. They can also lead to “violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses."

In the document (.PDF) - which the DHS technically refers to as a Data Security Business Advisory - the agency covers PRC laws – including recent laws like the PRC Data Security Law of 2020 and PRC Cryptography Law of 2020 – that can ultimately be used by the CCP to get Chinese firms to offer up data, access, or encryption keys. The document also details actions organizations can take to mitigate the risks.

Even in instances where data may not appear like its in jeopardy, like when data is processed by fitness trackers and other wearable technology, it could be obtained - and cross-referenced with the help of the 2017's National Intelligence Law in China.

Organizations, the DHS asserts, should be aware of the risks of doing business with firms affiliated with the PRC in the first place. If a relationship is already in place, the businesses should also have the appropriate policies, practices, and internal controls in place to maintain best practices in data security.

To ensure that data remains secure, organizations should minimize any data that's stored or used by the PRC, perform transaction monitoring, review terms of service, and remain alert when conducting business in China.

If they’re not already, firms that use or store data in the PRC should ensure that the following types of data is considered sensitive:

1. Technology and other data in connection to export-controlled products.
2. Intellectual property, including trade secrets, relating to emerging technologies identified in China 2025 and other PRC plans.
3. Biotech, genomic data, and medical test data
4. Personally-identifiable and other sensitive information.
5. Geolocation data

The U.S. has taken a handful of steps over the last several years to crackdown on risks and actions associated with CCP sponsored data theft.

The U.S. publicly accused two Chinese hackers working for Beijing last summer of trying to steal terabytes of sensitive coronavirus vaccine research data from biotech firms. Also last year, the US Justice Department charged Chinese military workers for stealing 145 million U.S. citizens' data in 2017's Equifax hack, an attack that's widely viewed as the worst corporate data breach ever.

That's in addition to the countless cases the DOJ has lodged recently against scientists and academics affiliated with China who took jobs in the U.S. in order to steal or attempt to steal proprietary information from U.S. firms.

Tags: Data Security

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.