Article

DOJ/CISA finalize new rules regarding data transfers to countries of concern

Published Date
Jan 13 2025
Related people
On December 27, 2024, the U.S. Department of Justice (DOJ) announced its final rule on the transfer of certain bulk sensitive personal data to China, Russia, and other countries. Following this, on January 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released the final security requirements for these restricted transfers. These measures aim to protect U.S. security interests and prevent unauthorized access to U.S. data.

The new rules reflect geopolitical unease around foreign access to the U.S. data. Indeed, with vast amounts of data, personal and otherwise, being moved across borders, there is an increased risk of unauthorized access and use of that data, particularly by state actors.

1. Background

On February 28, 2024, President Biden issued Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This Order tasked the DOJ with creating a new data transfer regulatory framework to mitigate the national security threats posed by certain countries. On January 8, 2025, the National Security Division (NSD) of the DOJ published its final rule (the “Data Security Rule”) establishing the new regulatory framework. The Data Security Rule incorporates, by reference, a set of security requirements issued by CISA.

The Data Security Rule shares many of the features of other U.S. economic security regulatory regimes, including Committee on Foreign Investment in the United States (CFIUS) investment screenings, Office of Foreign Assets Control (OFAC) sanctions, and Bureau of Industry and Security (BIS) export controls. The aim of the Data Security Rule is not to impede normal commercial activity, and broad exemptions for business-as-usual data transfer activities have been included in the regulation.

Nevertheless, the new rules will change how U.S. companies and the U.S. subsidiaries of foreign enterprises transfer data abroad and to foreign parties. Companies will need to exercise caution when transferring certain U.S. data to China. Although the rule has many exemptions, companies will have to carefully evaluate whether an exemption applies by considering the nature and location of the parties involved, the data in question, and the specifics of the transfer itself. For some transfers that fall within the scope of the rule, companies will have to implement a comprehensive array of cybersecurity controls.

The rule will go into effect on April 8, 2025, 90 days after the publication of the rule in the Federal Register. Certain compliance requirements must be met by October 5, 2025, 270 days after publication.

2. Summary of the rule

The Data Security Rule will apply to “data transactions” between a “U.S. person” and a “country of concern or covered person.” § 202.301. · Countries of concern include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. § 202.601.

  • Covered persons include entities headquartered in or owned by a country of concern, entities owned by other covered persons, persons working for covered persons, and persons residing in a country of concern. In addition, other persons may be designated as covered for acting on behalf of a country of concern. § 202.211.
  • U.S. persons include U.S. citizens or nationals, U.S. lawful permanent residents, individuals admitted to the United States as a refugee or granted asylum, and any entity organized solely under the laws of the United States or any jurisdiction within the United States. § 202.256.
  • Covered data includes bulk U.S. sensitive person data and government-related data. U.S. sensitive personal data refers to certain covered personal identifiers, precise geolocation data, biometric identifiers, “human ‘omic data,”[1] personal health data, or personal financial data. Each of these categories has a different “bulk” threshold laid out in the rule. Government-related data includes certain geolocation data and personal sensitive data linkable to U.S. government officials.

The Data Security Rule applies to these covered transactions in a three-tiered framework. Some data transactions are prohibited altogether. These include data-brokerage transactions and genomic data transactions. Other data transactions are restricted and are prohibited unless the parties satisfy of a set of compliance measures, including security criteria provided by CISA. These include vendor agreements, employment agreements, and investment agreements. Further, some covered data transactions are exempt from these prohibitions and restrictions noted above.

3. Security requirements for restricted transactions

CISA has introduced security requirements for restricted transactions that track with industry standard administrative and technical controls for sensitive data and systems. In fact, many of these controls are standard for companies with mature cyber programs. Below is a summary of some of these requirements:

  • Organizational and system level: Implement cyber policies, procedures, and requirements. Designate individuals responsible for cybersecurity, risk management, and compliance.
  • Vulnerability management: Remediate known vulnerabilities, prioritize critical assets, and, where remediation is not an option, implement compensating controls. Evaluate and test vulnerabilities for compromise.
  • Vendor management: Document and maintain contractual IT and cyber requirements.
  • Asset management: Maintain an inventory of covered systems and assets that is updated regularly (e.g., monthly). Maintain a network topology of covered systems as well as connections between assets.
  • Logical, physical, and access controls: Implement and test, with an emphasis on access controls. Review and provision access to restrict covered persons or countries of concern from accessing covered data. Mange user access (e.g., through MFA) and manage access to services, hardware, and systems.
  • Incident response: Maintain, review, and test incident response plans.
  • Change management: Track and require approvals for software and hardware deployed on covered systems.
  • Data minimization and encryption: Data should be minimized, aggregated, or masked to reduce the need to process covered data. Maintain data deletion, encryption, and retention policies.
  • Implement privacy enhancing technologies.

4. Key exemptions

The Data Security Rule includes nine categories of exemptions from the general prohibition and restriction rules. Two of these are of special significance:

  • Financial services exemption: First, data transactions that are “ordinarily incident to and part of” the provision of financial services are exempt. § 202.505(a). This means that a U.S. bank’s transaction of data with a covered person—as an employee, a contractor, an outside vendor, or otherwise—will not be subject to the restrictions of the Data Security Rule so long as it is “ordinarily incident to and part of” the bank’s provision of financial services. Some example scenarios at the threshold of this exemption may include the following:
  • Where a U.S. bank hires a data scientist who is a citizen of a country of concern and who primarily resides in that country of concern to develop a new artificial intelligence tool to sell as a standalone product to customers, and the hired data scientist would have rights to access, download, and transmit bulk personal financial data of customers, that data scientist’s employment would be a restricted transaction (and subject to mitigation and compliance measures). § 202.217(a)(4).
  • Where a U.S. bank collects bulk personal financial data on U.S. clients, appoints a citizen of a country of concern located in a country of concern to its board, and allows this board member access to that bulk sensitive data, the employment of the board member would not be exempt and would be treated as a restricted transaction. § 202.505(b)(12).
  • Where a U.S. bank facilitates payments between U.S. persons in the United States that do not involve a country of concern, and the bank stores and processes customers’ bulk financial data using a data center operated by a third party in a country of concern, the use of the third party’s services is not exempt and is a restricted transaction. § 202.505(b)(4).
  • Corporate group transactions exemption: Second, transactions with an affiliate “ordinarily incident to and part of administrative or ancillary business operations” are exempt. § 202.506. These ordinary business operations include, but are not limited to, “(i) Human resources; (ii) Payroll, expense monitoring and reimbursement, and other corporate financial activities; (iii) Paying business taxes or fees; (iv) Obtaining business permits or licenses; (v) Sharing data with auditors and law firms for regulatory compliance; (vi) Risk management; (vii) Business-related travel; (viii) Customer support; (ix) Employee benefits; and (x) Employees’ internal and external communications.” Some example scenarios at the threshold of this exemption may include the following:
  • Where a U.S. financial services company and a foreign affiliate financial services provider share a common risk-monitoring application, the transaction between the U.S. company and its foreign affiliate to effectuate the risk monitoring is exempt. DOJ preamble p. 172.
  • Where a U.S. financial services company has a foreign affiliate that is a covered person and that provides customer support services to U.S. customers as a part of global support operations, the transaction with the affiliate may not be exempt and may be a restricted transaction. DOJ preamble pp. 172-73.

5. Compliance and enforcement

The DOJ has also proscribed a compliance program for restricted transactions that allow it to track and enforce the Data Security Rule. First, U.S. persons engaged in restricted transactions must develop and implement their data compliance program within 270 days of the publication of the rule in the Federal Register, or October 5, 2025. Second, U.S. persons engaging in a restricted transaction must conduct an annual, independent audit of their compliance. Third, U.S. persons engaging in any covered transaction must retain records of the transactions, and those engaging in restricted transactions must maintain additions records of their policies, audits, and due diligence. Additionally, the DOJ retained the authority to require reports on demand “relative to any act or transaction or covered data transaction” subject to the rule. To enforce these regulations, DOJ has authority under IEEPA to assess civil or criminal penalties for violations.

6. Conclusion

The new Data Security Rule underscores the U.S. government’s interest in and concern about how companies handle the personal data of Americans. These regulations will require U.S. companies to adopt industry standard cybersecurity measures and conduct careful evaluations of their data transactions. While apprehensions over foreign access to U.S. data have steadily grown in Washington in recent years, this rule demonstrates that existing regulatory frameworks were not sufficient to mitigate the perceived risks. The Data Security Rule creates a stand-alone regulatory framework to compel businesses to align their practices with U.S. government security goals.

Footnotes

[1] “Human ‘omic data” includes genomic data, epigenomic data, proteomic data, and transcriptomic data. § 202.224. The DOJ included only human genomic data in the Notice of Proposed Rulemaking draft, but included the additional three categories of human ‘omic data in the Final Rule after further input and consideration.

Related capabilities