On February 28, 2024, President Biden signed Executive Order 14117 (the EO), on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The United States Department of Justice (DOJ) concurrently published an Advanced Notice of Proposed Rulemaking (the “ANPRM”) to commence the process of establishing regulations that will effectuate the EO. The EO and ANPRM signal a substantial expansion of U.S. national security authority to regulate the transfer of sensitive data to “covered persons” associated with “countries of concern.” The EO and ANPRM also signal a recognition of, and responsiveness to risks associated with emerging technologies, most notably artificial intelligence (AI).
While the regulations will evolve through the notice process, this new data security regime almost certainly will impact a significant number of companies across a range of industries, including (among others) health sciences, IT, social media (i.e., all companies that collect U.S. persons’ and/or U.S. government-related bulk data). This client alert considers several of the EO and ANPRM’s key elements. A companion client alert describes the DOJs focus on implementing and enforcing the new data security regime, and its practical implications for the industry.
1. What Is U.S. Person Sensitive Data?
The Order seeks to “restrict access by countries of concern to American’s bulk sensitive personal data…when access would pose an unacceptable risk to the national security of the United States.” [As stated above, the Order also reflects an intent to protect U.S. government data, covered in Subsection II.C of the ANPRM, but the focus here will remain on U.S. Person bulk sensitive personal data.] The Order identifies six categories of personal data within scope: covered personal identifiers, geolocation and related sensor data, biometric identifiers, human ‘omic data, personal health data, and personal financial data.
The ANPRM proposes a more detailed operational definition of each category. For most categories, the proposed operational definitions appear comparatively more straightforward to operationalize:
- Geolocation and Related Sensor Data. The data must be “precise geolocation data,” meaning that “whether real-time or historical, [the data] identifies the physical location of an individual or device with a precision of a certain distance (to be determined) based on electronic signals or inertial sensing units.
- Biometric identifiers. The data must be “measurable physical characteristics or behaviors” by which an individual’s identity may be recognized (e.g., facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait, and certain keyboard usage patterns).
- Human ‘omic data. The data must be human genomic data, that is, data representing the nucleic acid sequences that comprise the entire set or subset of genetic instructions found in a human cell, including the results of an individual’s “genetic test” and any human genetic sequencing data.
- Personal Health Data. This data means “individually identifiable health information” as defined in 42 U.S.C. 1302d(6) and 45 CFR 160.103.
- Personal Financial Data. This includes “data about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history, financial statements, or credit report or consumer report data.”
The remaining category, “covered personal identifiers,” appears more definitionally and operationally complex. As currently envisioned, this category seeks to capture data transfers involving “listed identifiers” that, when “linked” together, could be used to identify an individual. Categories of listed identifiers include: (i) full or truncated government identification or account number, (ii) financial account numbers or PINs; (iii) device-based or hardware-based identifiers like SIM card numbers; (iv) demographic or contact data; (v) advertising identifiers; (vi) account-authentication data; network-based identifiers such as IP address or cookie data; and (vii) call-detail data such as Customer Proprietary Network Information. “Listed identifiers” expressly exclude employment history, educational history, organizational membership, criminal history, or web-browsing history. This is consistent with the ANPRM’s stated intent to define covered personal identifiers in a manner that is “narrower than the categories of material typically covered by laws and policies aimed generally at protecting personal privacy.”
The ANPRM also proposes that any combination of the above categories would be considered as its own category -- “combined data.” The ANPRM defines combined data as “any collection or set of data that contains more than one of the above-listed categories.”
Finally, the sensitive data must pertain to “U.S. Persons,” an often-defined term in federal statutes and regulations. The ANPRM provides that “U.S. Person” means “any United States citizen, national, or lawful permanent resident; or any individual admitted to the United States as a refugee under 8 U.S.C. 1157 or granted asylum under 8 U.S.C. 1158; or any entity organized solely under the laws of the United States or any jurisdiction within the United States (including foreign branches); or any person in the United States.”
2. What Is Bulk?
Even if a covered transaction prompts the requirements for “sensitive data,” the new data security regime would not be implicated unless the amount of data in the transaction carries certain defined “bulk” thresholds. The ANPRM specifies a goal to set specific bulk thresholds “based on a risk-based assessment that examines, threat, vulnerabilities, and consequences as components of risk.”
The current threshold ranges under consideration are listed below.
Risk Level | Human Genomic Data | Biometric Identifiers | Precise Geolocation Data | Personal Health Data | Personal Financial Data | Covered Personal Identifiers |
Low | More than 100 U.S. persons | More than 100 U.S. persons (for biometric identifiers) or U.S. devices (for precise geolocation data) | More than 1,000 | More than 10,000 U.S. persons | ||
High | More than 1,000 U.S. persons | More than 10,000 U.S. persons (for biometric identifiers) or U.S. devices (for precise geolocation data) | More than 1,000,000 | More than 1,000,000 U.S. persons | ||
The implication of whether a transaction triggers “Low” or “High” risk is not expressly stated in the ANPRM. However, relevant areas of focus might reasonably include the level of required diligence associated with the transaction, whether the transaction will be prohibited or restricted (discussed below), and/or for restricted transactions, the level of mitigation that may be required for the government to permit the transaction to proceed.
3. What Transactions Are Covered?
The ANPRM proposes to define a “covered data transaction” as any transaction that involves bulk U.S. sensitive personal data or government-related data and that involves: (i) data brokerage; (ii) a vendor agreement; (iii) an employment agreement; or (iv) an investment agreement. If the covered data transaction “may enable countries of concern or covered persons to access bulk U.S. sensitive personal data or government-related data, the transaction either would be prohibited (denied) or restricted (permitted to proceed only upon implementation of designated security requirements).”
Currently, “Countries of concern” are: China (including Hong Kong and Macau); Russia; Iran; North Korea; Cuba, and Venezuela. “Covered Persons” means any entity owned by, controlled by, or subject to the jurisdiction and direction of a country of concern; a foreign person who is an employee or contractor of such entity; a foreign person who is an employee or contractor of a country of concern; a foreign person who is primarily resident in a country of concern; or any person designated by the Attorney General as a covered person. The ANPRM proposes a 50% threshold ownership interest by a country of concern to trigger the control threshold, and organization, chartering, or having a principal place of business in a country of concern as triggering “subject to the jurisdiction and direction of a country of concern.”
With respect to the four types of transactions that could be covered under the ANPRM:
- Data Brokerage. Transactions involving the sale of bulk sensitive data, including the licensing of access to data or similar commercial transactions involving the transfer of data from any person (the provider) to any other person (the recipient), where the recipient did not collect or process the data involved in the transaction directly.
- Vendor Agreement. Any agreement, other than an employment agreement, with a vendor to provide goods or services, and by virtue of the goods or services the vendor will provide, the vendor will have access to bulk sensitive data. This includes agreements for cloud-computing services.
- Employment Agreement. Any agreement for employment where the job function will provide the employee access to the hiring entity’s bulk sensitive data.
- Investment Agreement. The taking of any direct or indirect ownership interest or rights in relation to U.S. real estate or a U.S. legal entity that, by virtue of the ownership interest obtained, would allow the investor access to the entity’s bulk sensitive data.
The ANPRM envisions exempting five types of transactions from any final rulemaking, and specifically “mirroring Office of Foreign Assets Control (OFAC)’s approach in International Emergency Economic Powers Act (IEEPA)-based sanctions regulations by explicitly identifying certain classes of data transactions that are exempt from the scope of its prohibitions and restrictions.” While further description is provided in Section II.H of the ANPRM, the proposed exempt categories are: data transactions involving certain types kinds of data (personal communications and information/informational materials); official business transactions (official business of U.S. government); financial services, payment processing, and regulatory-compliance-related transactions; intra-entity transactions incident to business operations; and transactions required or authorized by federal law or international agreement.
4. How Might a Covered Data Transaction Be Restricted and Not Prohibited?
Perhaps in alignment with other regulatory regimes seeking to balance national security and economic interests, the ANPRM envisions scenarios, where a Covered Data Transaction could be permitted to proceed (i.e., “restricted transactions”), provided certain national security controls are implemented. These include:
- Basic Organizational Cybersecurity Posture requirements (e.g., Center for Informational Security Agency and/or National Institute of Standards and Technology);
- Data minimization and masking (e.g., tokenization), privacy-preserving technologies (e.g., data encryption); protections against unauthorized disclosure; and logical and physical access controls (e.g., role-based access management; physical security); and
- Satisfaction of other compliance-related conditions that could include independent auditing.
- The ANPRM also contemplates a bulk sensitive data export licensing regime, pursuant to which restricted transactions would be authorized to proceed, similar to the approach taken with OFAC licenses.
5. What Information Security Standard Is Cited?
The ANPRM proposes a combination of standards drawn from portions of: (1) the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF); (2) NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Revision 3; (3) the Cybersecurity and Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals (CPGs); and (4) The NIST Privacy Framework. While there may be some ambiguity regarding the implementation of cybersecurity controls responsive to the cited frameworks within the context of the various business sectors, the development of requirements using these frameworks as a basis and the enforcement of their adoption through compliance mechanisms is an important step to solidify an organization’s obligations to protect sensitive personal data. While the ANPRM states that the Department of Homeland Security (DHS) will propose and solicit comment on the security requirements through a separate process, three of the proposed standards, NIST CSF, the NIST Privacy Framework, and CISA CPGs, are voluntary industry guidance documents and do not contain a set of verifiable cybersecurity requirements, while NIST SP 800-171 Revision 3 is a set of security requirements tailored from NIST SP 800-53 which only relate to confidentiality of Controlled Unclassified Information (CUI). While the ANPRM contains security requirements from NIST SP 800-171 Revision 3, it does not mention the critical companion document, NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information, which contains the assessment procedures necessary to verify the security requirements of NIST SP 800-171 and “is the primary and authoritative guidance on assessing compliance with NIST SP 800-171."1
Additionally, an update was released for the NIST CSF Framework on February 26, 2024. One key update to this framework is the inclusion of a Supply Chain Risk Management section which is intended to help organizations manage exposure to cybersecurity risk throughout supply chains and develop appropriate response strategies, policies, processes, and procedures. The framework also references NIST SP 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, which provides guidance to organizations on implementing risk management strategies specific to cybersecurity-related risk concerns.
How Ankura Can Help
Ankura professionals have deep experience and a proven record of success working with organizations, investors, and counsel to develop, implement, and validate information security, technology, and related compliance programs that are trusted by national security regulators and responsive to business requirements. Our team has particular expertise with NIST-based information security standards. Among others, our experience includes CFIUS Compliance Advisory and Mitigation services, CFIUS Third-Party Monitor and Third-Party Auditor services, Export Controls Advisory services; Export Controls Audit services; FedRAMP Advisory Services, Cybersecurity Compliance Assessments, Enterprise and Data Center Security and Risk Solutions, and Cybersecurity Maturity Model Certification Preparation.
Ankura can help to provide the following solutions (among others):
- Pre-transaction diligence, risk identification, assessment, and management
- Compliance assessment, counseling, program design, and implementation
- Policies, procedures, and governance
- Technology and automation tool selection, development, and integration
- Third-party (e.g., customers, vendors, and contractors) diligence, screening, and risk management
- Auditing, monitoring, and independent oversight
- Support for execution of pre-and post-audit remediation action
1. The Information Security Oversight Office (“ISOO”) issued CUI Notice 2020-04 which requires federal agencies to use NIST SP 800-171A to define the assessment procedures to verify that the security requirements of NIST SP 800-171 are implemented.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
