DNA data security requires robust protections, not rhetoric

The BIOSECURE Act, now rolling through Congress, aims to protect the DNA data of Americans from companies with perceived national security risks. That is a noble goal. But the legislation’s misguided approach would single out a small number of companies, including the California-based company I founded in 2005, Complete Genomics, despite the fact that we have no access to such data. It would also let many companies with large volumes of DNA data sell or transfer this data without any legal protections.

Personal DNA data is some of the most sensitive data humans now possess. It contains a blueprint of who individuals are, from their hair and eye color to clues about diseases that may one day affect their lives. While it is critically important that this information be explored by leading laboratories and researchers, it is just as important that it is kept secure, particularly in an increasingly connected world.

advertisement

The approach to data protection embodied in the BIOSECURE Act is flawed. It not only narrowly targets a small number of companies like mine that don’t have access to personal DNA data, but it also would leave large swaths of personal DNA data held by companies not subject to this legislation — including companies that trace family histories and maintain data on millions of Americans — uncovered, potentially leaving huge numbers of Americans vulnerable to data breaches that could place their most sensitive information in the hands of bad actors.

I have spent my career working with genomic data and working to help scientists and researchers identify the clues it can hold for disease prevention, diagnosis, treatments, and cures. Though the past few decades have led to tremendous breakthroughs in this field, there is still much to learn and discover. As more genetic data are collected from patients, individuals participating in clinical trials, or even from everyday Americans taking DNA tests for fun or understanding their family history, there’s a great need for a holistic approach to data security that treats equally anyone collecting or storing this kind of information and would require them to meet the same set of standards, rather than singling out some companies and leaving others unaddressed.

A broad and uniform approach like the American Privacy Rights Act will not be easy, as can be seen from the recent decision to cancel a scheduled congressional committee vote on the bill. But its approach — which mirrors the federal Health Insurance Portability and Accountability Act (HIPAA) which already protects Americans’ medical records — is far preferable to the flawed BIOSECURE Act, which would leave huge libraries of personal DNA data without any legal protection. Pushing forward legislation that won’t accomplish the data protection it promises could reflect poorly on Congress and make it even harder to pass legislation that would establish the uniform standards that are needed.

advertisement

The BIOSECURE Act’s sponsors and supporters in Congress claim the bill would address perceived vulnerabilities to the security of personal DNA data stemming from individual companies, which are listed by name in addition to a general definition. The problem is that the bill calls out by name some companies that have no access to genetic data, like Complete Genomics, and ignores others that obviously have such access.

Taking an approach like HIPAA, and establishing a uniform set of standards that protect DNA data broadly and consistently, is a better way to secure American’s personal DNA data as the bill would apply to all companies with access to this data after it is enacted rather than a select few before proper evaluations, making it not just fairer and more consistent but also more effective.

My company, Complete Genomics, is one of the targets of the BIOSECURE Act. The bill’s sponsors have claimed that Complete Genomics belongs in the bill because it was once affiliated with a Chinese conglomerate called BGI (formerly Beijing Genomics Institute), which the Pentagon has designated as connected to the Chinese military. Yet not only are Complete Genomics and its parent company, MGI, no longer a part of BGI, neither Complete Genomics nor MGI have access to or maintain individual’s DNA data.

Complete Genomics manufactures genomic sequencing instruments, which researchers and laboratories use to read, interpret, and analyze DNA data. But it does not provide these sequencing services, nor can it access the personal DNA data that researchers and labs are generating, as the company’s sequencers are not connected via the internet to any external servers. This is very similar to MRI machines, which allow doctors and hospitals to take images of patients for diagnostic purposes, but this sensitive patient data is controlled by doctors and labs and is not accessible to the companies that manufacture these machines.

I understand that Congress may not want to take my word for it that Complete Genomics does not collect or maintain personal DNA data — but it doesn’t have to. In 2023, the leading independent data security firm FTI Consulting assessed the security of the flagship Complete Genomics sequencer and found no vulnerabilities. Our customers also know that we have no access to their data.

The ownership of Complete Genomics is also public record. While it is true that the company was acquired by BGI in 2013, in September of 2022, our parent company, MGI, completed an IPO and became an independent, publicly traded company on the Shanghai Stock Exchange. Today, Complete Genomics is 100% owned by MGI. MGI and Complete Genomics have their own management, employees, and assets, and neither is any longer a subsidiary of BGI. We have made multiple attempts to inform policymakers about these facts — and make the case that my company does not belong in the bill — but to date Congress has not made the appropriate changes.

The risks of the BIOSECURE Act’s Whac-A-Mole approach do not just affect the companies and labs that use Complete Genomics sequencers today, but those who may benefit from the research that will be conducted with them tomorrow. Taking cutting-edge sequencers such as ours out of the hands of American researchers will lead to higher prices, decreased competition, and less innovation, and could even delay important research into devastating diseases like cancer and Alzheimer’s. American genome researchers will be at a disadvantage compared to researchers outside of the U.S.

With consequences like this on the line, it is a shame that politics and rhetoric have gotten in the way of thoughtful policymaking. But it is not too late for Congress to take a step back and reassess its approach. Uniform standards that would apply to all parties with access to DNA data, much like HIPAA, is a more effective way to protect personal DNA data and a better path forward. It also avoids the potential consequences that a misapplied, ad hoc approach would have for researchers and scientists — and those who will depend on their future breakthroughs.

Radoje Drmanac is the founder of Complete Genomics and serves as its chief science officer.