Biden Issues EO to Guard Sensitive Data from Adversaries

On Wednesday, the Biden Administration released an anticipated executive order (EO) with provisions to prevent foreign adversaries from acquiring sensitive personal data on Americans. Dubbed the Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, the EO calls for actions by agencies such as the DOJ and HHS to protect sensitive data. While IT conversations these days typically center on the free flow of trusted data, particularly to fuel technologies such as AI, the EO takes aim to close a security gap to prevent countries of concern from doing the same with commercially available personal and U.S. government-related data.

According to the EO, foreign adversaries are using bulk sensitive personal data and government-related data on advanced technologies, “to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States.”

The EO specifically targets human genomic data, biometric, PII, personal health, geolocation information, information on military members, and financial data, calling on specific agencies to put regulations in place to keep such data from enemy hands.

Calling is a national emergency, the EO extends DOJ authorities to enforce regulations prohibiting certain transfers and transactions of personal sensitive data, particularly with regards to telecommunications infrastructure, health care and consumer protection. The EO also directs a DOJ review of national security risks arising from prior transfers of U.S. sensitive data to countries of concern.

Additionally, the Justice and Homeland Security departments must create security requirements to prevent the access of American data through investment, vendor, and employment relationships. Such requirements may include, “cybersecurity measures such as basic organizational cybersecurity posture requirements, physical and logical access controls, data masking and minimization, and the use of privacy-preserving technologies,” according to a DOJ fact sheet.

The EO also calls on HHS, DOD, and the VA to take additional steps ensuring federal grants, contracts and awards are not utilized to facilitate access to sensitive information through U.S. healthcare providers and research institutions.

Focusing on data transit routes, the EO directs the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Team Telecom) to review and terminate existing submarine cable systems linked to countries of concern, and issue policy on the Committee’s review of license applications to avert the threat of sensitive personal data in submarine cable licenses owned or operated by foreign adversaries.

Moreover, the EO directs the CFPB to address the threat of data brokers disseminating mass amounts of sensitive data.

For its part, the National Security Division at DOJ issued an unofficial Advance Notice of Proposed Rulemaking (ANPRM), slated for publish on the Federal Register, to solicit public comment on the scope of transactions involving bulk sensitive data the EO directs DOJ to prohibit. The ANPRM calls on feedback from groups with data security and cybersecurity expertise as well as organization impacted by the proposed regulation to comment on prohibitions, “data brokerage and transfers of genomic data, and restrictions on vendor [including cloud-service], employment, and investment agreements,” among six identified countries of concern: China, Russia, Iran, North Korea, Cuba, and Venezuela.

Data transactions exempted from the regulations the EO calls for include, but are not limited to, banking, capital-markets or financial-insurance activities, business operations within multinational U.S. companies, federally funded health and research activities, and transactions authorized by current federal law or international agreements.