Protect American’s Sensitive Data: How Law Firms Can Help
Data Privacy has been a hotly contested issue in the United States. In 1995, after the EU enacted the Global Data Protection Directive, the US refused to enact a federal law to protect citizen’s private data. Slowly, individual states started to enact privacy laws to protect citizen’s data like California, Colorado, Virginia and Connecticut. Currently, there are 15 states which have enacted comprehensive Data Privacy laws, Currently, there are 15 states – California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire – that have comprehensive data privacy laws which protect the rights of individuals related to the collection, use, and disclosure of their personal data by businesses. 
Some of these rights include the rights to:
- Right to access their personal data.
- Right to correction their personal data.
- Right to delete their personal data.
- Right to data portability their personal data.
- Right to opt out their personal data.
On February 28, 2024 President Biden’s signed Executive Order 14117 to Protect American’s Personal Data from Exploitation. Under the EO, , including genomic, biometric, health, financial, and location data, from being exploited by foreign adversaries. The Executive Order authorizes the U.S. Attorney General to prevent foreign adversaries, like China, Russia, Cuba, Iran, Venezuela, and North Korea from accessing this sensitive personal data. This data can be used by bad actors to scam, blackmail, track individuals, invade their privacy, and undermine their civil liberties and even to commit acts of espionage. This Executive Order is meant to safeguard American’s most sensative data from financial and economic exploitation and access by hostile foreign countries many of which have been using this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services and to engage in scams, blackmail and other malicious acts.
Need for Data Privacy
Most people generate a significant digital footprint that can be exploited by hostile actors to the detriment of the US national security interest. This sensitive personal data includes using biometric, financial, genomic, geolocation, or health data, as well as personal identifiers, to understand the patterns of life, spending and purchase habits, financial troubles, desires, likes and dislikes, visits to potentially sensitive locations like places of worship, government facilities, gambling venues, and health clinics of various citizens is purchased or accessed and then used to engage in malicious cyber-enabled activities, espionage, coercion, influence, and blackmail; to build profiles on and target activists, academics, journalists, dissidents, government personnel, political figures, and members of nongovernmental organizations and marginalized communities for surveillance, influence, and intimidation; to curb dissent and for other nefarious purposes. In addition, many of these hostile actors are applying advanced technologies, like big-data analytics, artificial intelligence, and highperformance computing, to more effectively manipulate, use, and act on sensitive data to enable their nefarious activities.
While various governmental agencies are working to protect Amercian’s personal data and prevent, prosecute and block illegal methods of obtaining this data, like computer hacking; US data privacy laws provide lawful access to vast amounts of sensitive personal data. Buying personal data and accessing it through other commercial relationships is currently legal in the US. Until the recent enactment of the EO, there was no comprehensive laws which prospectively addressed the national security risks posed by these hostile foreign actors.
Hostile Actors using AI to Scrape Sensative Data
Hostile countries have been using advanced technologies, including artificial intelligence (AI), to harvest, collect, analyze and manipulate American’s sensitive personal data to engage in espionage, influence, kinetic, or cyber operations and to identify and gain potential strategic advantages over the United States. These countries have also been using this data to fuel the creation and refinement of AI and other advanced technologies to improve their ability to exploit the underlying data and enhance the national security and foreign policy threats resulting from the harvesting of such data.
Future Obligations to Protect American’s Personal Data from Exploitation
After the EO was issued, the Deptment of Justice issued an advance notice or proposed rulemaking where it sought public comments on various topics related tot he implementation of the Executive Order. Any interested had until April 19th to provide written comments to the DOJ’s proposed rules. The proposed rules included proposals on the classes of transactions which may engage in acts which pose an unacceptable risk to U.S. national security and established specific classes of transactions that are required to comply with security obligations to mitigate the risk which access to the data poses. The 23 page advance notice of rule making (ANPRM) is available here. The ANPRM provides some additional clarification on the scope of the EO and provices some specific organizational, transactional, and compliance obligations for various transactions involving access to sensitive personal data and what categories of data and transactions are being regulated.
The ANPRM identifies which transactions pose the greatest national security risks which are more likely to be restricted or prohibited. The first round of rules will “target only transactions between a US person and a country of concern (or a covered person). Domestic transactions between US persons, who are not covered persons, will not be subject to regulation pursuant to this Executive Order.” Under the proposed rules, the DOJ is currently considering regulating cross-border data transactions that involve China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, based on their “long-term pattern or serious instances of conduct significantly adverse to the national security of the United States.”
The types of transactions currently being considering for prohibition include:
-
- Data-brokerage transactions “between US persons and countries of concern (or covered persons)” involving “bulk US sensitive personal data or government-related data;” and
- Transactions that would provide “a country of concern or covered person with access to bulk human genomic data” or “human biospecimens from which that human genomic data can be derived.”
The types of transactions currently being considering for restriction include:
-
- Vendor agreements, including “agreements for technology services and cloud-service agreements;”
- Employment agreements; and
- Investment agreements.
5 types of covered data exempt from the above prohibitions and restrictions, including:
-
- Data ordinarily incident to and part of financial services, payment processing, and related regulatory compliance;
- Data ordinarily incident to and part of ancillary back-office business operations, such as payroll or human resources within multinational US companies;
- Data about US government activities, including those of its employees, contractors, and grantees, such as “federally funded health and research activities;”
- Data required or authorized by federal law or international agreements, such as passenger-manifest information exchanges, INTERPOL requests, and public health monitoring; and
- Data involving “personal communications” or “information or information materials.
Under the proposed rules, US entities will be required to develop, implement, and update a compliance program tailored to their individualized risk profile, including their “size, sophistication, products and services, customers and counterparties, and geographic locations.” In addition, the US entities are also required to maintain records of their due diligence to comply with the regulations, which may be obtained by the DOJ, upon request.
If you have any questions about how your data is protected or if you have been the victim of a fraud, computer hacking, scam or threat or if you would like to discuss how the recent EO to Protect American’s Personal Data from Exploitation will protect or impact you or your business, please contact one of our attorneys.