Genetic and Biotech IP Security: Protecting Research and Personnel | CloseProtectionHire

Security for genetic research and biotech organisations sits at the intersection of three converging threats: state-sponsored IP theft targeting strategically valuable life sciences technology, animal rights extremism targeting researchers and associated companies, and the specific data protection obligations created by the special category status of genetic data under UK and EU GDPR.

The commercial value at stake is substantial. A novel genetic sequence, a validated drug target, or a proprietary CRISPR delivery mechanism can represent years of research and hundreds of millions in development cost. The organisations that hold this data are, by the standards of most industries, lightly defended.

State-Sponsored Targeting: The PRC Focus

The 2023 joint advisory published by the NCSC (UK), FBI, NSA (US), CISA, and the Australian ASD is the clearest official statement of the state-sponsored threat to biotech. The advisory specifically identifies the People’s Republic of China as systematically targeting life sciences, pharmaceutical, and genetic research organisations through:

• Network intrusion – spearphishing campaigns targeting research staff, compromise of university and institute networks hosting collaborative research, exploitation of remote access systems used by research staff working from home
• Conference elicitation – systematic attendance at international scientific conferences to collect data not yet in the published literature
• Insider recruitment – the Thousand Talents Plan and related talent programmes offer financial incentives to researchers to transfer technology, methods, or materials to Chinese institutions
• Third-party access – compromise of contract research organisations, CROs, and technology partners as a route to data held by the primary organisation

FBI prosecutions documented in the advisory and supplementary case law include:

• Weiqiang Zhang (Iowa), convicted 2016: theft of corn genetics from DuPont Pioneer over 4 years, estimated commercial value USD 30-100 million
• Xiang Haitao (St. Louis), convicted 2019: theft of algicide intellectual property from Monsanto
• Yenwen Cheng (Philadelphia), convicted 2021: theft of vaccine adjuvant research from GlaxoSmithKline
• AstraZeneca manufacturing process case (UK, 2020): former employee passed COVID-19 vaccine process data to Chinese state-connected entity; referenced in UK NSC evidence 2021

The BGI Question

BGI Genomics (formerly Beijing Genomics Institute) is the world’s largest genomic sequencing organisation and a significant provider of prenatal testing services and COVID-19 testing through its subsidiary MGI Tech. The DoD added BGI and subsidiaries to its China Military Companies List (Section 1260H NDAA) in 2021. A 2021 Reuters investigation documented BGI’s collection of genomic data through international clinical partnerships, prenatal testing kits sold globally, and COVID-19 testing kits distributed at population scale in multiple countries.

The specific concern is genomic data sovereignty: genomic data collected from populations in the UK, US, Australia, and other countries may be accessible to the Chinese state under China’s National Intelligence Law 2017, which requires Chinese companies and citizens to cooperate with state intelligence collection. Unlike financial or personal data, genomic data has permanent value – it cannot be changed, it is heritable, and its analytical value increases as AI and genomic research advance.

Healthcare organisations, insurers, and research institutions that have entered data sharing agreements with BGI or its subsidiaries should assess the legal and security implications of those arrangements against the 2021 DoD designation and the NCSC/FBI joint advisory.

Physical Laboratory Security

The NPSA (previously CPNI) and UKRI published joint research security guidance in 2023 that provides the physical security standard for UK research institutions holding strategically valuable material.

Core requirements:

• Perimeter and building security to standard commercial standards: CCTV to BS 8418:2015, intruder detection to PD 6662:2017, access control to BS EN 50131
• Laboratory zone access control: card or biometric access limited to named, vetted individuals; a separate access log for the laboratory zone reviewed weekly
• Visitor escort policy: strictly enforced by physical means – dual-authenticated doors that prevent tailgating, visitor badges that are visually distinctive and do not permit lone access, and a named escort who accompanies the visitor throughout their presence in the controlled zone
• Biological materials chain-of-custody: a log for all biological materials that records creation, transfer, storage location, and disposal. Any material removed from the laboratory triggers a reconciliation check
• Data security: all workstations auto-lock on inactivity; no removable media in the laboratory zone without specific authorisation; DLP (data loss prevention) software monitoring for large data transfers; and quarterly access reviews removing departing and transferred staff

The ISO 27001 information security management standard and ISO 15189 (medical laboratory management) together provide the audit framework for accredited life sciences organisations.

Animal Rights Extremism

Stop Huntingdon Animal Cruelty (SHAC) conducted the most sustained and damaging campaign by an animal rights group against a single company target in UK legal history. From 1999 to 2014, SHAC targeted Huntingdon Life Sciences, its investors, directors, contractors, and associated businesses. Documented activities included:

• Home demonstrations at the addresses of executives, investors, and their family members
• Letter bomb attacks (six confirmed, including at least one seriously injuring a recipient)
• Criminal damage to vehicles and property
• Harassment campaigns against pension funds and banks with any financial connection to HLS
• Interference with the operations of associated suppliers and contractors

Over 120 arrests were made. Multiple convictions followed for conspiracy to blackmail, criminal damage, and sending malicious communications. SHAC effectively made some institutional investors unwilling to hold HLS stock and some suppliers unwilling to maintain commercial relationships.

SHAC as an organisation was effectively disrupted by prosecutions from approximately 2008-2014. The broader animal rights movement retains activist networks targeting organisations conducting animal research, and the tactics – home demonstrations, supplier disruption, social media harassment – remain in use against biotech, pharmaceutical, cosmetics, and food production companies.

The NPSA maintains a briefing for organisations in the animal research sector. The Police Counter Terrorism Unit has responsibility for animal rights extremism that meets the CONTEST definition. Any organisation whose research programme, director profile, or investment base creates exposure to animal rights targeting should assess the current risk and implement executive personal security measures appropriate to the threat level.

Genetic Data Under GDPR

UK GDPR Article 4(13) defines genetic data as personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about their physiology or health. It is Special Category data under Article 9 and Schedule 1 of the Data Protection Act 2018.

The consequences for processing:

• Processing requires explicit consent or a specific Schedule 1 DPA 2018 condition – research and scientific purposes under Schedule 1 para 4 applies in most research contexts, but requires safeguards including an Appropriate Policy Document
• A Data Protection Impact Assessment is mandatory before processing commences
• International transfers require adequacy or specific safeguards under UK GDPR Articles 46-49
• Retention periods must be defined, documented, and enforced

In the commercial biotech context, where genomic data may be shared with CROs, international collaborators, and commercial partners, each data flow requires legal analysis. A data processing agreement that complies with Article 28 is required for every processor relationship. The ICO’s guidance on Special Category data (2024) and the Genomics England Data Access Framework set the benchmark.

The intersection with security is direct: a breach of genomic data – whether through a cyberattack, an insider action, or a physical laboratory breach – is a Special Category data breach requiring mandatory notification to the ICO within 72 hours and potentially to data subjects.

For the broader corporate security programme that research institution security should sit within, see our corporate security programme design guide. For organisations facing animal rights targeting at the activist-to-extremism escalation level, see our guide to security for animal rights and eco-extremism targeting.

Sources: NCSC/FBI/NSA/CISA/ASD: Joint Cyber Security Advisory on PRC Targeting of Biotech and Life Sciences 2023. FBI: IP Theft in the Life Sciences – Case Digest 2015-2024. US DoD: China Military Companies List (Section 1260H NDAA) 2021. Reuters: BGI’s Links to Chinese Military and Security Services, January 2021. UK National Security Committee: Evidence Session on Biotech IP Theft 2021. NPSA/UKRI: Research Security Guidance for UK Universities and Research Institutions 2023. ICO: Special Category Data Processing Guidance 2024. Genomics England Data Access Framework 2024. ISO 27001:2022 (Information Security Management). SHAC case records: R v Avery and others (SHAC prosecution series) 2007-2014.