Disinformation is fueled by sensitive data, and the United States has learned some hard lessons in the build-up to this year’s presidential elections, where its adversaries have run rampant disinformation campaigns. So what is it doing about it? The U.S. is introducing a new rule that targets foreign threats exploiting sensitive data of its citizens.
The U.S. Department of Justice on Monday, in a Notice of Proposed Rulemaking (NPRM), proposed a significant initiative to protect Americans’ sensitive data from foreign adversaries. The rule, derived from President Biden’s Executive Order 14117, aims to curb the exploitation of U.S. data by countries identified as threats.
The new proposal doesn’t impose sweeping changes immediately but instead seeks public feedback for refining the rule before it takes effect.
A Response to Foreign Threats Exploiting Sensitive Data
Countries such as China, Russia, and others have increasingly utilized sensitive U.S. data to bolster their cyber capabilities. This data, often obtained through commercial transactions, can be exploited for blackmail, espionage, and cyberattacks.
The NPRM outlines stringent measures targeting data transactions that risk providing foreign adversaries access to bulk sensitive data, such as biometric, genomic, and geolocation information.
These regulations build on the framework previewed in the Department’s March Advance Notice of Proposed Rulemaking (ANPRM) and introduce specific classes of restricted transactions.
Key Provisions and Covered Data
The proposed rule introduces prohibitions and restrictions on data transactions with designated “countries of concern” and “covered persons.”
It defines six categories of sensitive personal data, including biometric identifiers and financial data, that could be exploited for national security threats if linked to identifiable U.S. individuals. For instance, transactions involving over 1,000 individuals’ biometric data or 10,000 individuals’ financial data would trigger regulatory scrutiny.
Also Read: FTC Fines Cerebral $7 Million for Sharing Millions of Patients’ Data
In terms of scope, the rule designates China, Cuba, Iran, North Korea, Russia, and Venezuela as countries of concern due to their documented threats to U.S. national security. The rule also regulates data associated with U.S. government personnel, given its potential for misuse in intelligence operations.
Restrictions and Security Requirements
The NPRM details three primary categories of restricted transactions: vendor agreements, employment agreements, and certain investment agreements.
These can proceed only if stringent security measures are in place, as outlined by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). Requirements include encryption, data minimization, and organizational policies that mitigate risks associated with data access by foreign entities.
The rule proposes multiple exemptions, such as those for telecommunications services, financial services incidental to routine operations, and certain intra-corporate data transfers. Exemptions also cover clinical-trial data, reflecting industry concerns raised during the ANPRM comment period.
Compliance and Reporting Obligations
To ensure adherence, the rule would require affected U.S. entities to develop risk-based compliance programs tailored to their operational scale and geographic exposure. Compliance programs must include audits, data-flow logging, and secure data handling practices. The NPRM also sets forth reporting requirements for U.S. persons involved in data transactions that might pose risks due to foreign affiliations.
Non-compliance carries substantial penalties, including fines up to $1 million and imprisonment for willful violations. This stringent enforcement aligns with the broader U.S. strategy of using economic tools to counter national security threats posed by foreign adversaries.
What’s Next and Stakeholder Involvement
The Justice Department invited public comments within 30 days of the NPRM’s publication in the Federal Register. This outreach follows a robust consultation process initiated with the ANPRM, where the Department engaged over 100 stakeholders to shape the rule’s development.
While the NPRM does not introduce new surveillance capabilities, it significantly raises the bar for safeguarding sensitive data from misuse by foreign powers. As regulatory frameworks evolve, companies handling high volumes of sensitive data must adapt quickly to these emerging security expectations.
