For those under a rock, here’s a quick TL;DR timeline of DeepSeek’s rise:
- 2023: DeepSeek emerges as a Chinese AI startup, funded by the High-Flyer hedge fund.
- December 2024: The company launches DeepSeek-V3, a model with 671 billion parameters, trained at a fraction of the cost of U.S. counterparts like GPT-4.
- January 2025: DeepSeek-R1 focuses on complex reasoning, rivaling leading AI tools in mathematics and coding.
- 2025: DeepSeek’s AI Assistant becomes the top-rated free app on the U.S. App Store, creating waves in the global AI market.
With that out of the way, let’s explore what DeepSeek’s disruption means for U.S. companies, particularly around its privacy policies, terms of use, and implications for governance and security. However, for U.S. companies, its privacy policy and terms of use raise questions about data security, compliance, and operational risks. Business leaders must understand these implications to mitigate risks while leveraging such tools effectively.
Key Risks and Strategies for U.S. Companies
1. Data Sovereignty and Privacy
DeepSeek’s policy involves collecting user inputs such as text, audio, and uploaded files, in addition to technical data like device models, operating systems, IP addresses, and usage patterns. This broad data collection raises questions about how securely this information is managed and whether it might be accessible under foreign data laws, such as those in China. For U.S. companies, the primary concern is where this data is stored and processed, especially if it’s outside the U.S.
- Concern: Data stored under foreign jurisdictions, particularly in China, may be subject to laws that conflict with U.S. privacy regulations.
- Implication: Companies could face compliance challenges with laws like GDPR, CCPA, or industry-specific standards (e.g., HIPAA, PCI-DSS), risking penalties and reputational harm.
Actionable Steps:
1. Confirm Data Storage Locations: Ensure transparency from vendors about where and how data is stored.
2. Perform Compliance Audits: Regularly review data practices to align with international and domestic regulations.
3. Implement Encryption Standards: Use robust encryption for all sensitive data transfers and storage.
2. Proprietary Information Risks
DeepSeek reserves the right to use input data, including sensitive business communications or proprietary strategies, for model training and improvement. For example, a marketing agency inputting client strategy data might inadvertently contribute to DeepSeek’s broader AI development—creating unintended exposure of intellectual property and putting the company at a competitive disadvantage.
- Concern: Intellectual property exposure could lead to competitors indirectly benefiting from proprietary data, diminishing the company’s competitive edge.
- Implication: If sensitive data becomes embedded in AI models, companies risk legal liability, reputational damage, and a loss of trust from clients and stakeholders.
Actionable Steps:
1. Classify Data: Establish and enforce clear protocols to identify what data is permissible for upload to AI platforms.
2. Secure Contracts: Ensure vendor agreements explicitly restrict the use of proprietary data for training AI models.
3. Use Synthetic Data: Employ anonymized or synthetic data to mitigate risks associated with sharing sensitive information.
3. Data Retention Post-Account Deletion
DeepSeek retains certain data even after account deletion, as per its policies and applicable laws. This includes data retained for legal compliance or analytical purposes, which could be accessed long after the company stops using the service.
- Concern: Data retention policies may leave sensitive information vulnerable to unauthorized access or prolonged use beyond the intended purpose.
- Implication: Retained data could become a liability if mishandled, leading to legal exposure, compliance violations, or reputational damage.
Actionable Steps:
1. Clarify Retention Policies: Request detailed documentation on data retention timelines and practices.
2. Limit Data Uploads: Minimize the amount of sensitive data shared with third-party tools to reduce potential exposure.
3. Request Data Deletion Confirmation: Ensure vendors provide assurances of data deletion upon account closure.
4. Transparency on Third-Party Access
DeepSeek’s policy lacks specificity on whether and how user data is shared with third parties. This ambiguity raises concerns, particularly if data could be accessed by entities governed by foreign laws or used for purposes not explicitly disclosed.
- Concern: Sensitive data could be shared with unauthorized third parties, including foreign entities, without clear oversight.
- Implication: Unclear data-sharing practices could lead to security vulnerabilities, reputational harm, and loss of control over proprietary information.
Actionable Steps:
1. Conduct Vendor Risk Assessments: Evaluate the vendor’s data-sharing policies and demand clear disclosures on third-party access.
2. Negotiate Data Protections: Include clauses in contracts to limit unauthorized third-party access to sensitive data.
3. Implement Monitoring Tools: Use tools that track and audit data usage and access in real time.
5. Employee Usage and Shadow IT
Employees may use DeepSeek without understanding its implications, bypassing security protocols and creating vulnerabilities. Shadow IT—unsanctioned use of such tools—can result in critical data leaving secured environments, creating significant compliance and security risks.
- Concern: Employees’ unauthorized use of AI tools can lead to data breaches and regulatory non-compliance.
- Implication: Shadow IT can undermine organizational security measures, resulting in inefficiencies, financial loss, or reputational harm.
Actionable Steps:
1. Educate Employees: Train staff on the risks and policies around using unapproved tools.
2. Implement Approved Alternatives: Provide secure, organization-sanctioned AI tools to meet employee needs.
3. Monitor Tool Usage: Use monitoring software to detect and address unauthorized software usage.
6. AI-Generated Content Risks
The use of DeepSeek for generating content presents both opportunities and risks. While AI tools like DeepSeek can streamline workflows and enhance productivity, they are not immune to errors, biases, or overconfidence in their outputs. Automation bias—the tendency to trust AI-generated content without sufficient scrutiny—can have serious implications, particularly in high-stakes environments.
- Concern: Users may overtrust AI-generated content, overlooking inaccuracies or biases embedded in the outputs..
- Implication: Reliance on AI-generated content without critical evaluation can damage credibility, result in legal or regulatory consequences, and perpetuate systemic biases in areas such as hiring, healthcare, or public-facing communications.
Actionable Steps:
1. Establish Content Review Protocols: Implement robust review processes to validate the accuracy and fairness of AI-generated materials.
2. Educate Teams on AI Outputs: Train employees to critically assess and verify AI-generated content, ensuring that human oversight complements AI capabilities.
3. Promote Transparency: Clearly communicate when AI tools like DeepSeek are used in content creation to build trust and manage expectations effectively.
What Can You Do Now?
The action points outlined in this article are not just responses to the specific challenges posed by DeepSeek—they are principles we should be considering every day as we evaluate and improve our businesses. These are exactly the considerations we address when building and implementing comprehensive cybersecurity strategies through NextLink Labs’ Cybersecurity Strategy and Implementation Plans (CSIP).
For organizations ready to take the next step, our CSIP framework can guide you through every phase of developing or enhancing your cybersecurity program. For those who aren’t at that point yet, the action points provided here are a great starting place to proactively address the challenges posed by DeepSeek and to strengthen your overall cybersecurity posture.