Biden Administration Proposes New Rules Governing Data Transfers to Adversarial Nations
Summary:
On Monday, October 21, 2024, the Biden administration officially announced new proposed rules related to a February executive order designed to prevent foreign adversaries such as China and Russia from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic, and other data to carry out future cyberattacks or continue to spy on Americans. Under these proposed rules, data transfers to organizations and individuals in China, Russia, Iran, North Korea, Venezuela, and Cuba will be prohibited based on when pre-set volume thresholds are exceeded according to the fact sheet released by the administration. The tightest restrictions are placed on American genomic data at a maximum of 100 Americans over 12 months. No more than 100,000 American’s device IDs, SSNs, and driver’s license numbers may be transferred by an organization per 12 months. Many other more nuanced rules are included in the documentation, including the absolute prohibition of the transfer of active-duty military or federal personnel data. These proposed rules will affect all US-based data brokers selling their collected data to the six designated countries in an attempt to protect against serious threats to US national security by thwarting malicious surveillance activities. Restrictions would apply to a variety of other business relationships with entities and individuals in the six countries, including investment in American companies, the hiring of subcontractors, and data processing or storage. Companies must also comply with CISA cybersecurity frameworks which include physical access control, data minimization, and encryption standards when making such transactions.
Security Officer Comments:
The US administration's announcement of new data transfer rules marks a significant step towards mitigating foreign surveillance risks. These rules, designed to protect sensitive American data from exploitation by adversaries like China and Russia, include targeted restrictions, volume thresholds, and broader implications for business relationships. Although some of the restrictions, like the ones placed on SSN data, seem to necessitate a smaller threshold, any regulations regarding safeguarding sensitive personal American data assist in facilitating an effective nationwide security posture. While there are potential challenges to regulating American businesses and sanctioning other countries, the rules represent a valuable addition to cybersecurity efforts.
Link(s):
https://therecord.media/biden-administration-rules-data-transfer-adversaries
https://www.justice.gov/opa/pr/just...posed-rule-addressing-national-security-risks
FACT SHEET PDF: https://www.documentcloud.org/documents/25244888-nprm-fact-sheet-102124
On Monday, October 21, 2024, the Biden administration officially announced new proposed rules related to a February executive order designed to prevent foreign adversaries such as China and Russia from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic, and other data to carry out future cyberattacks or continue to spy on Americans. Under these proposed rules, data transfers to organizations and individuals in China, Russia, Iran, North Korea, Venezuela, and Cuba will be prohibited based on when pre-set volume thresholds are exceeded according to the fact sheet released by the administration. The tightest restrictions are placed on American genomic data at a maximum of 100 Americans over 12 months. No more than 100,000 American’s device IDs, SSNs, and driver’s license numbers may be transferred by an organization per 12 months. Many other more nuanced rules are included in the documentation, including the absolute prohibition of the transfer of active-duty military or federal personnel data. These proposed rules will affect all US-based data brokers selling their collected data to the six designated countries in an attempt to protect against serious threats to US national security by thwarting malicious surveillance activities. Restrictions would apply to a variety of other business relationships with entities and individuals in the six countries, including investment in American companies, the hiring of subcontractors, and data processing or storage. Companies must also comply with CISA cybersecurity frameworks which include physical access control, data minimization, and encryption standards when making such transactions.
Security Officer Comments:
The US administration's announcement of new data transfer rules marks a significant step towards mitigating foreign surveillance risks. These rules, designed to protect sensitive American data from exploitation by adversaries like China and Russia, include targeted restrictions, volume thresholds, and broader implications for business relationships. Although some of the restrictions, like the ones placed on SSN data, seem to necessitate a smaller threshold, any regulations regarding safeguarding sensitive personal American data assist in facilitating an effective nationwide security posture. While there are potential challenges to regulating American businesses and sanctioning other countries, the rules represent a valuable addition to cybersecurity efforts.
Link(s):
https://therecord.media/biden-administration-rules-data-transfer-adversaries
https://www.justice.gov/opa/pr/just...posed-rule-addressing-national-security-risks
FACT SHEET PDF: https://www.documentcloud.org/documents/25244888-nprm-fact-sheet-102124