The Department of Justice ("DOJ") is wasting no time in implementing the new cyber-security Executive Order (the EO), signed on February 28, 2024. As explained in our April 2024 blog post, the EO aims to portect Americans’ data security and is set to take effect next year. Within a week after it was signed, the DOJ (1) initiated the notice and comment process by issuing an Advance Notice of Proposed Rulemaking, (2) began developing an enforcement and compliance regulations, and (3) started ramping up staffing and resources to include dozens of new attorneys and non-attorneys, a larger FIR Compliance and Enforcement Unit, and a new Deputy Chief for National Security Data Risks.

According to Assistant Attorney General, Matthew G. Olsen, the enforcement and compliance regulations will have “real teeth” and be backed by a “full suite” of civil, criminal, investigatory, and subpoena authorities. Like other anti-corruption and compliance initiatives, the DOJ intends to focus on voluntary compliance and expects companies to develop risk-based compliance programs. Each company’s compliance program should be tailored to its individual risk profile based on the company’s size and sophistication, products and services, customer base, and business location.

So what can companies do now to be prepared when the regulations take effect next year?

According to Olsen, companies should prepare by knowing what data they have, whether it is protected, where it travels, who has access to it, and how it affects their transactions. Companies can reach this goal by taking the following measures:

• Companies must first understand their data landscape, which will likely require a comprehensive inventory of internal and external sensitive data used or possessed by the company. Such inventories enable companies to categorize and assess the volume of their data, and then use that information to tailor the development of data protection policies and training.  
• Companies must also ensure they have the right safeguards in place to prevent the misuse of their data. Such safeguards should include encrypting data during transit, storage, and utilization. For a company’s stored data, protection requires a multi-faceted approach encompassing physical and electronic security measures, including two-factor authentication and other data loss prevention tools like insider threat protections that help detect data use irregularities within the organization.
• Companies should determine what data travels outside the company, including to purchasers, advertisers, marketers, and vendors. According to Olsen, companies must then ensure that they have appropriate agreements in place to ensure the data is protected once it is shared outside the company.   
• Companies must maintain continuous monitoring of data access, particularly for non-U.S. consultants and investors in countries of concern, high-risk employees with routine access to sensitive data, independent contractors, and other service providers. Companies should restrict data access only to what is necessary for relevant tasks.
• Companies should track all of their data transactions. This includes scrutinizing any transactions involving the sale of data and assess any third-party data brokers it uses because third parties often serve as intermediaries for outside attackers. Furthermore, companies’ contracts with third parties should include security agreements and robust control of outsourced data that permits immediate termination to access when business needs end.

By adhering to these measures, companies can build the foundation for a solid compliance program enabling them to prevent, detect, and report violations in advance of the DOJ’s deadline.

[View source.]