The Department of Justice Is Building a Data Security Protection and Enforcement Program | Snell & Wilmer
In response to President Biden’s Executive Order authorizing increased data privacy measures, Assistant Attorney General (AAG) Matthew G. Olsen announced that the National Security Division of the Department of Justice (DOJ) is implementing a data security protection and enforcement program. The public comment period for that program is now open and closes on Friday, April 19, 2024. The program represents another measure in the United States’ efforts to address data protection globally.
President Biden’s Executive Order
On February 28, 2024, President Biden issued an Executive Order (EO) titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern.” In this EO, Biden directed the DOJ to establish and administer novel, highly targeted national security measures to address the growing threat to data privacy. Each year, an increasing number of Americans have their personal information exposed through data breaches, and Biden noted two main types of data transactions of concern to the United States: data brokerage transactions and transactions involving the transfer of bulk sensitive personal data, which often occurs when data is obtained and sold or transferred without consent. The EO noted that the risk of harmful consequences related to this type of transaction are “exacerbated” considering that the data may be used to “develop AI capabilities and algorithms,” which pose a threat to national security.
Biden emphasized that the need for greater protections must be balanced with an open internet that facilitates the international flow of information. The EO represents a necessary step forward to protect Americans and the United States as a whole from continued efforts by foreign nationals to access sensitive data. Left unchecked, the consequences could be disastrous. As the EO states, “the growing exploitation of Americans’ sensitive personal data threatens the development of an international technology ecosystem that protects our security, privacy, and human rights.” To respond to this exploitation, the Department of Homeland Security and the Attorney General now have authorization to promulgate “rules, regulations, standards, and requirements” to prevent data breaches and protect Americans’ sensitive information.
Olsen’s Comments at the ABA National Institute on White Collar Crime
AAG Olsen followed the EO with comments on the DOJ’s plans to undertake and implement the new security measures now authorized by President Biden. On March 4th, speaking at the ABA’s National Institute on White Collar Crime, Olsen assured that the National Security Division’s “core responsibility” is to prosecute both corporations and individuals. He emphasized that the DOJ relies on “financial institutions and technology companies” to act as “gatekeepers,” and that this gatekeeping must be founded on “strong compliance programs” designed to “prevent, detect, and report violations.” These compliance efforts are designed to further the DOJ’s national security mission.
Because U.S. adversaries like China and Russia seek to acquire data as a strategic resource, corporations make up the “front lines” of the fight for national security. The DOJ is focused on voluntary corporate compliance to prevent data from falling into the hands of those U.S. adversaries.
Olsen advised companies to follow four key tenants of data protection to ensure compliance with new DOJ regulations:
- Companies must know their data, including what categories of data the company regularly processes. In this same vein, companies should ensure appropriate safeguards are in place to prevent misuse of sensitive data.
- Companies must understand exactly where all data is ultimately transferred by reviewing existing vendor agreements. This ensures the data does not fall into the wrong hands.
- Companies must also understand which consultants and investors have access to that data, especially foreign adversaries.
- Companies must be aware of any data sales, including the business practices of third-party data sale brokers, to ensure compliance with applicable regulations.
With these parameters in mind, Olsen encouraged companies to develop tailored risk compliance programs. Echoing prior directives from the Attorney General’s Office, Olsen encouraged companies to take a proactive approach to understanding internal data practices to prevent data from falling into the wrong hands — and prevent future DOJ involvement.
By “ramping up” both “staffing and resources significantly,” the DOJ will be equipped to provide advisory opinions to companies. These advisory opinions will give further guidance to the corporate sector to ensure data privacy compliance and effective, proactive disclosure.
Public Comment Period
Following the EO and Olsen’s comments, the DOJ opened a public comment period on its proposed data security and enforcement program. The program “would (1) identify certain classes of highly sensitive transactions that would be prohibited in their entirety, and (2) identify other classes of transactions that would be prohibited except to the extent they comply with predefined security requirements to mitigate the risk of access to bulk sensitive personal data by countries of concern.” The program would target six categories of sensitive personal data:
- U.S. persons’ covered personal identifiers;
- Personal financial data;
- Personal health data;
- Precise geolocation data;
- Biometric identifiers; and
- Human genomic data.
Despite these broad categories, the DOJ emphasized that the program is a “carefully calibrated national security authority to address specific national security threats” but not intended to be “a commercial regulation of all cross-border data flows between the United States and [its] foreign partners, or as a comprehensive program to regulate Americans’ data privacy.” Accordingly, the DOJ will identify classes of prohibited and restricted data transactions, rather than conducting a case-by-case review of individual transactions.
The DOJ issued a lengthy list of issues for public comment, including:
- Whether an advisory opinion process would be useful as a part of this program;
- What factors the DOJ should consider when determining whether to impose a civil penalty for data privacy violations;
- The percentage of the U.S. workforce that could be affected by this program and the related data restrictions, specifically the data which comes from employment agreements; and
- How to best mitigate the cost of compliance for small- and medium-sized businesses.
Finally, the DOJ identified the following preliminary list of foreign countries that pose a risk should they gain access to sensitive personal data: China, including Hong Kong and Macau, Russia, Iran, North Korea, Cuba, and Venezuela. The DOJ encourages the public to come forward if they have concerns or suggestions about this preliminary list.
Conclusion
The public comment period on the DOJ’s new initiative remains open until Friday, April 19, 2024. This program is a revolutionary mechanism for the DOJ to strongarm enforcement of data privacy and covered data transactions both nationally and beyond US borders. The DOJ encourages members of the public to submit comments and feedback to the proposed program.
Companies are also encouraged to conduct a full review of all data policies, including third-party vendor contracts and data privacy statements. Any potential or existent data breaches should be investigated promptly, and companies are encouraged to evaluate self-disclosure, which may mitigate the harshest sanctions. Most importantly, companies should ensure that they maintain robust data mapping and data protection measures. Knowing which categories of data a company transacts in, where that data flows as a part of the company’s course of business, and who has access to the data will be crucial to complying with the DOJ’s efforts.
Read the Executive Order here.
Read AAG Olsen’s full announcement on the DOJ’s website here.
Read National Security Division; Provisions Regarding Access to Americans’ Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern, 89 F.R. 15,780 (March 5, 2024) here.