On February 28, 2024, President Biden signed Executive Order 14117 (the “EO”), on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The United States Department of Justice (DOJ) concurrently published an Advanced Notice of Proposed Rulemaking (the “ANPRM”) to commence the process of establishing regulations that will effectuate the EO. This client alert describes the DOJ’s focus on implementing and enforcing the new data security regime and its practical implications for the industry. Ankura published a companion client alert considering several of the EO and ANPRMs key elements. 

“Moving Fast”

During a speech delivered on March 8, 2024, the DOJ’s National Security Division (NSD) chief, Assistant Attorney General Matt Olsen, described the EO and ANPRM as a “groundbreaking” effort by the U.S. Government to build a national security data security regime “from the ground up.” He stated that U.S. adversaries see U.S. sensitive data as an exploitable strategic resource and that DOJ is “moving fast” to apply the new authority to implement a national strategy for data security compliance and enforcement. Olsen noted that the current national security risk environment implicates private sector activities as never before and that the DOJ is focused on implementing “incentives that encourage industry to make the right decisions.”

Olsen stated that the DOJ intends to “relentlessly” apply the full scope of its authorities in furtherance of this strategy, including the use of subpoena and investigative powers, civil enforcement and fines, and criminal prosecution for willful conduct in violation of the forthcoming regulations. He stated that the DOJ intends to hire dozens of new prosecutors and staff to conduct compliance oversight and enforcement activities, supervised by a new NSD Deputy Chief for Data Security. Olsen also noted that the DOJ will provide compliance guidance in order to communicate its expectations to the industry. 

What Organizations Should Do

Olsen acknowledged that the regulations will evolve substantially through the course of the ANRPM process. He also described the DOJs intention to engage iteratively with industry during rulemaking in order to “get this right.” But Olsen also recommended that organizations promptly initiate actions to prepare for the forthcoming regulations. Among these actions: 

1. Know your data. Organizations should inventory and categorize the data that they collect and handle in order to assess whether the new rules will apply and, if so, to what data. 
2. Know where your data is located. Organizations should inventory the systems and repositories where sensitive bulk data is handled, stored, and communicated in their environment, and ensure the environment is appropriately secured.
3. Know who has access to your data. Organizations should audibly control and log access to their sensitive bulk data, with regard to both internal personnel and third parties, such as contractors, vendors, service providers, customers, and partners. Similarly, organizations should evaluate relevant contractual relationships and responsibilities relevant to data security and access.
4. Know where and with whom your data will end up. Organizations should conduct diligence and implement appropriate risk controls to reasonably ensure that their bulk sensitive data is not transferred to or accessible by Covered Persons downstream.
5. Develop a compliance program. Organizations should deliberately assess and document their information security risks, taking into account the above considerations. Based upon this assessment, the organization should develop a risk-appropriate compliance program of organizational, technical, and people-focused information security controls.