On February 28, 2024, President Biden signed Executive Order 14117 (the “EO”), on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The United States Department of Justice (DOJ) concurrently published an Advanced Notice of Proposed Rulemaking (the “ANPRM”) to commence the process of establishing regulations that will effectuate the EO. This client alert describes the DOJ’s focus on implementing and enforcing the new data security regime and its practical implications for the industry. Ankura published a companion client alert considering several of the EO and ANPRMs key elements.
“Moving Fast”
During a speech delivered on March 8, 2024, the DOJ’s National Security Division (NSD) chief, Assistant Attorney General Matt Olsen, described the EO and ANPRM as a “groundbreaking” effort by the U.S. Government to build a national security data security regime “from the ground up.” He stated that U.S. adversaries see U.S. sensitive data as an exploitable strategic resource and that DOJ is “moving fast” to apply the new authority to implement a national strategy for data security compliance and enforcement. Olsen noted that the current national security risk environment implicates private sector activities as never before and that the DOJ is focused on implementing “incentives that encourage industry to make the right decisions.”
Olsen stated that the DOJ intends to “relentlessly” apply the full scope of its authorities in furtherance of this strategy, including the use of subpoena and investigative powers, civil enforcement and fines, and criminal prosecution for willful conduct in violation of the forthcoming regulations. He stated that the DOJ intends to hire dozens of new prosecutors and staff to conduct compliance oversight and enforcement activities, supervised by a new NSD Deputy Chief for Data Security. Olsen also noted that the DOJ will provide compliance guidance in order to communicate its expectations to the industry.
What Organizations Should Do
Olsen acknowledged that the regulations will evolve substantially through the course of the ANRPM process. He also described the DOJs intention to engage iteratively with industry during rulemaking in order to “get this right.” But Olsen also recommended that organizations promptly initiate actions to prepare for the forthcoming regulations. Among these actions:
- Know your data. Organizations should inventory and categorize the data that they collect and handle in order to assess whether the new rules will apply and, if so, to what data.
- Know where your data is located. Organizations should inventory the systems and repositories where sensitive bulk data is handled, stored, and communicated in their environment, and ensure the environment is appropriately secured.
- Know who has access to your data. Organizations should audibly control and log access to their sensitive bulk data, with regard to both internal personnel and third parties, such as contractors, vendors, service providers, customers, and partners. Similarly, organizations should evaluate relevant contractual relationships and responsibilities relevant to data security and access.
- Know where and with whom your data will end up. Organizations should conduct diligence and implement appropriate risk controls to reasonably ensure that their bulk sensitive data is not transferred to or accessible by Covered Persons downstream.
- Develop a compliance program. Organizations should deliberately assess and document their information security risks, taking into account the above considerations. Based upon this assessment, the organization should develop a risk-appropriate compliance program of organizational, technical, and people-focused information security controls.
How Ankura Can Help
Ankura professionals have deep experience and a proven record of success working with organizations, investors, and counsel to develop, implement and validate information security, technology, and related compliance programs that are trusted by national security regulators and responsive to business requirements. Our team has particular expertise with NIST-based information security standards. Among others, our experience includes CFIUS Compliance Advisory and Mitigation services, CFIUS Third-Party Monitor and Third-Party Auditor services, Export Controls Advisory services; Export Controls Audit services; FedRAMP Advisory Services, Cybersecurity Compliance Assessments, Enterprise and Data Center Security and Risk Solutions, and Cybersecurity Maturity Model Certification Preparation.
Ankura can help to provide the following solutions (among others):
- Pre-transaction diligence, risk identification, assessment, and management
- Compliance assessment, counseling, program design, and implementation
- Policies, procedures, and governance
- Technology and automation tool selection, development, and integration
- Third-party (e.g., customers, vendors, and contractors) diligence, screening, and risk management
- Auditing, monitoring, and independent oversight
- Support for execution of pre-and post-audit remediation actions
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
