Organizations must take steps to ensure compliance with emerging rules targeting foreign adversaries' access to U.S. citizens' sensitive personal information.
A recent data rule from the U.S. Department of Justice should prompt enterprises to plan mapping exercises to determine where data is flowing.
The DOJ's National Security Division began enforcing its new data rule, the Data Security Program, April 8. The data rule aims to prevent six foreign adversaries -- Russia, China, Iran, North Korea, Venezuela and Cuba -- from accessing Americans' sensitive personal data and government-related data through commercial activities, such as data brokers selling data in bulk.
The DOJ issued a limited enforcement policy for the first 90 days of the rule. As a result, the department will "not prioritize civil enforcement actions" through July 8 for violations of the Data Security Program as long as a company or individual can demonstrate good faith efforts to comply with the data rule.
Forrester analyst Stephanie Liu said the DOJ's data rule should push companies to assess their data practices. As companies collect data and pass it along to business or advertising partners, it could eventually make its way to data brokers, she said.
The DOJ's Data Security Program "adds a new sense of urgency" to the issue of data sharing, Liu said. Companies that fail to comply with the data rule could face civil or criminal penalties. The criminal penalty includes up to a $1 million fine and imprisonment up to 20 years.
They need to at least think about what data they're collecting and where they're sending it.
Stephanie LiuAnalyst, Forrester
"They need to at least think about what data they're collecting and where they're sending it," Liu said.
Weighing data broker risk
Liu said rules like the DOJ's Data Security Program mean it's getting riskier for enterprises to work with data brokers. Not only does the DOJ's data rule target data brokers, but new rules from the Federal Trade Commission and Consumer Financial Protection Bureau do so as well.
Businesses work with data brokers, especially on the marketing side, to understand who consumers are, as well as target markets for products or services, Liu said.
"There's a possibility that an enterprise will say, 'the data broker is the one responsible for making sure none of that data is passed to a foreign adversary,'" Liu said. "But we've seen with recent reporting that people are starting to look at the entire supply chain of data. Where did the data broker source its data from?"
Under the DOJ's Data Security Program, companies will be prohibited or restricted from engaging in covered transactions related to six primary categories of sensitive personal data -- personal identifiers, geolocation, genomic, financial, biometric and health.
Covered transactions involve data brokerage, vendor agreements, employment agreements and investment agreements that allow countries of concern access to sensitive data.
Adam Hickey, a partner specializing in cybersecurity and data privacy at law firm Mayer Brown, said the DOJ's data rule "essentially defines 'data brokerage' as any sale of any data to someone who didn't collect the data themselves."
"You can see how that would encompass a large number of arrangements," he said.
Additionally, the data rule's inclusion of vendor and employee agreements means U.S. companies that rely on foreign employees or vendors with affiliates in China or Russia need to consider how those countries may access data.
Preparing for the DOJ data rule
Companies must meet certain thresholds for sensitive data collection to fall under the data rule's jurisdiction:
Human genomic data: 100 U.S. persons
Biometric data: 1,000 U.S. persons
Precise geolocation data: 1,000 U.S. devices
Personal health data: 10,000 U.S. persons
Personal financial data: 10,000 U.S. persons
Covered personal identifiers: 100,000 U.S. persons
Covered entities include foreign companies headquartered in a country of concern or entities that are more than 50% owned by a country of concern, as well as foreign individuals who are employees or contractors of a country of concern or primarily reside in a country of concern. The DOJ plans to publish a list of covered persons on the National Security Division's website.
Hickey said businesses need to first determine if they have covered data that meets the data rule's bulk thresholds. They also need to inventory their data to determine who has access to it, whether it's vendors, foreign affiliates or foreign offices.
"You have to go through at least a rudimentary mapping exercise," Hickey said.
Liu said enterprises need to assess who they are sharing data with and whether they can trust that the vendor or business partner is not sharing data with a country of concern. The DOJ's data rule is a "kick in the pants" for companies that have been procrastinating in keeping track of data, he said.
Challenges for businesses
Liu said while the DOJ's data rule is well-intended, it will be challenging for enterprises to track the different geographies data sets are heading to and through.
"There's so much unknown, especially when it comes to the advertising side, where the supply chain often is a black box," she said. "You honestly don't have a ton of foresight into all the partners and where they're storing data."
Indeed, Hickey said it can be difficult for businesses to assess some vendors' data processes, particularly in less transparent legal environments such as China.
Hickey said he recommends businesses start to incorporate due diligence clauses in standard terms and conditions or service agreements with vendors, asking vendors up front to "raise their hand and tell you if they plan to allow remote access to your data from China or if they're hiring covered persons or contracting with them to process your data."
The DOJ's data rule fulfills a mandate established in former President Joe Biden's executive order to protect Americans' sensitive data from foreign adversaries. It also supports efforts made by President Donald Trump during his first administration to prioritize data as a national security concern.
Christopher Kavanaugh, a partner at law firm Cleary Gottlieb, said the U.S. government has relied on sanctions and export controls to prevent the flow of funds and sensitive technology to adversaries.
However, those measures don't stop the flow of data, which is where the DOJ's Data Security Program fills the gap.
"We saw with enterprise businesses that they stood up compliance programs if they were implicated by sanctions or export controls, and I think that's exactly what you can expect to see in this space," he said. "Just like with sanctions or export controls, they're now going to have compliance programs to comply with the DSP."
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining Informa TechTarget, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.