DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Justice Department Issues Comprehensive Proposed Rule Addressing National Security Risks Posed to U.S. Sensitive Data

Posted on October 22, 2024 by Dissent

From the U.S. Department of Justice, October 21:

Proposed Rule Would Establish New Program to Implement Executive Order to Prevent Access to Americans’ Sensitive Personal Data by Russia, Iran, China, and Other Countries of Concern

Note: Read the Department’s fact sheet on this matter here.

The Justice Department today issued a Notice of Proposed Rulemaking (NPRM) to implement President Biden’s Executive Order 14117 (the E.O.) of Feb. 28, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The E.O. addresses the national security threat posed by the continued effort of certain countries of concern to access and exploit certain kinds of Americans’ sensitive personal data. The President charged the Justice Department with the responsibility of establishing and implementing this new national security regulatory program to address these risks. On March 5, the Department’s Advance Notice of Proposed Rulemaking (ANPRM) was published in the Federal Register. Informed by extensive stakeholder outreach and careful consideration of comments the NPRM addresses public comments received on the ANPRM and proposes a rule to establish this new program and implement the E.O.

This comprehensive proposed rule would implement the E.O. by establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to government-related data or bulk U.S. sensitive personal data. Among other things, the proposed rule identifies classes of prohibited and restricted transactions, identifies countries of concern and classes of covered persons to whom the proposed rule applies, identifies classes of exempt transactions, explains the Department’s methodology for establishing bulk thresholds, provides the Department’s initial assessment of economic and other regulatory impacts, establishes processes to issue licenses authorizing certain prohibited or restricted transactions, issue advisory opinions, and designate covered persons, and addresses recordkeeping, reporting, and other due-diligence obligations for covered transactions.

The Justice Department’s National Security Division requests public comment on the proposed rule within 30 days of its publication in the Federal Register. The Department seeks comments on the proposed rule from industry, trade association groups, civil society, subject-matter experts, organizations and entities potentially affected by the proposed rule, and others with interest in the rule or expertise on data security and cybersecurity. The public may submit written comments on the NPRM at www.regulations.gov.

The proposed rule is tailored to address the specific national security risks stemming from access by countries of concern and covered persons to Americans’ bulk sensitive personal data and certain sensitive U.S. government-related data. These measures complement the United States’ commitment to promoting an open, global, interoperable, reliable, and secure internet; protecting human rights online and offline; supporting a vibrant, global economy by promoting cross-border data flows that are required to enable international commerce and trade; and facilitating open investment.

As previewed in the ANPRM, the proposed rule does not authorize the imposition of generalized data localization requirements to store Americans’ bulk sensitive personal data or U.S. Government-related data or to locate computing facilities used to process such data in the United States. As also previewed in the ANPRM, the proposed rule also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries. To reflect this, the NPRM proposes a new exemption for telecommunications services, provides further clarity on exemptions regarding financial services and intra-corporate-group transfers that were previewed in the ANPRM, and seeks public comment on a new proposed exemption for clinical-trial data.

The proposed rule’s prohibitions and restrictions are consistent with other access restrictions on sensitive personal data that have been imposed in other contexts, including for transactions reviewed by the Committee on Foreign Investment in the United States (CFIUS) and the Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector (Team Telecom). As the ANPRM previewed, the proposed rule exempts several classes of data transactions from the scope of its prohibitions and restrictions, including certain personal communications, financial services, corporate group transactions, transactions authorized by Federal law and international agreements, investment agreements subject to a CFIUS action, telecommunication services, biological product and medical device authorizations, clinical investigations, and others.

As explained in the NPRM, countries of concern can use their access to these types of data to engage in malicious cyber-enabled activities and malign foreign influence activities, bolster their military capabilities, and track and build profiles on U.S. individuals (including members of the military and other Federal employees and contractors) for illicit purposes such as blackmail and espionage. Countries of concern can also exploit this data to collect information on activists, academics, journalists, dissidents, political opponents, or members of nongovernmental organizations or marginalized communities to intimidate them, curb political opposition, limit freedoms of expression, peaceful assembly, or association, or enable other forms of suppression of civil liberties.

The proposed rule would require vendor agreements, employment agreements, and investment agreements that qualify as restricted transactions to comply with the separately proposed security requirements that have been developed by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) in coordination with the Justice Department. These proposed security requirements require U.S. persons engaging in a restricted transaction to comply with organizational and system-level requirements, such as ensuring that basic organizational cybersecurity policies, practices, and controls are in place, and data-level requirements, such as data minimization and masking, encryption, and privacy-enhancing techniques. CISA is concurrently making these proposed security requirements available for public comment at www.regulations.gov.

Updated October 21, 2024
Source:  U.S. Department of Justice, Office of Public Affairs
Category: cyberwarLegislation

Post navigation

← Rocky Mountain Gastroenterology appears to have been attacked by three different groups; more than 169,000 patients affected (1)
Hong Kong watchdog slams sports club for sloppy cybersecurity ahead of ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach
  • Hacker who breached communications app used by Trump aide stole data from across US government
  • Massachusetts hacker to plead guilty to PowerSchool data breach (1)
  • Cyberattack brings down Kettering Health phone lines, MyChart patient portal access (1)
  • Gujarat ATS arrests 18-year-old for cyberattacks during Operation Sindoor
  • Hackers Nab 15 Years of UK Legal Aid Applicant Data
  • Supplier to major UK supermarkets Aldi, Tesco & Sainsbury’s hit by cyber attack with ransom demand

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy
  • Massachusetts Senate Committee Approves Robust Comprehensive Privacy Law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.