Terry Gerton All right, well, we’re going to talk about a DOJ rule. It is the rule on foreign adversary access to U.S. sensitive data. The rule was issued back in April. So just refresh our memories on what’s in the rule and what DOJ is trying to accomplish.
Townsend Bourne So this rule, as you mentioned, it’s a DOJ rule, so we’re not talking about the FAR or DFARs here, so it’s little bit different than some of the rules we’ve talked about in the past. This rule stems from an executive order that came out years ago now, actually. The rule became effective at the beginning of April of this year, and the purpose behind the rule is to restrict access to U.S. sensitive information to covered countries, which are listed in the rule and they’re the countries you can imagine would probably be listed, and covered persons, which is defined as people connected to those countries in some way.
Terry Gerton When the DOJ issued this rule, though, they automatically gave a 90-day grace period for compliance. Why was that necessary?
Townsend Bourne The rule per the regulations went into effect on April 8th. And I think, from a lot of the people I’ve spoken to and what I’ve seen on this, even though there was a bit of a runway getting to that April 8 effective date, I don’t think there was quite as much understanding or chatter about this rule on April 11th. So three days after the rule became effective, DOJ put out some helpful guidance. They put out a compliance guide, some FAQs and other resources and also announced a 90-day grace period, until July 8th. But that 90- day grace period was meant to allow companies to get up to speed on this rule, start to engage in good faith efforts to comply with the rule to the extent they hadn’t done so already, because I think this didn’t get quite as much publicity and wasn’t quite as well-understood as DOJ had hoped by that April 8th date.
Terry Gerton So did DOJ find it necessary in addition to the FAQs and other sort of guidance to do some training and some direct engagement with folks or were they just hoping that the rules were enough to get everybody up to speed?
Townsend Bourne I think they’re doing what they can. Like I said, the guides that came out are helpful. They have been receptive. They have an email address that people could use during this grace period that I understand they were tracking and responding to emails during this grace period to answer questions and try to help people come up to speed. So there has been some engagement by DOJ. I know everybody’s busy right now, and there’s a lot going on at DOJ, so I’m sure that they are wishing they could do a little more here. But there has been some action on the part of DOJ to make sure that companies understand this rule and how to comply.
Terry Gerton So let’s take that last piece. How can companies make sure they’re in compliance? What do they need to do?
Townsend Bourne What we’ve been recommending is kind of a two-step approach to figure out how this rule might even apply to you. And the two pieces of it focus on the types of data that your company holds. DOJ is very clear in the compliance guide. This rule is centered around companies knowing their data and they expect companies to know their data. So we’ve been working with clients to analyze what types of data do they collect? And this role covers, broadly, two big buckets of data. So the first is bulk U.S. sensitive personal data. So you can imagine — biometric identifiers, personal financial information, personal health information, social security numbers, contact, demographic data; things like that are covered in that first bucket of U.S. sensitive personal data. And for each of those categories, there is a bulk threshold. So the rule basically says, you have to look at the rule for the types of data. And then there’s a threshold, like 10,000 U.S. persons or for covered personal identifiers, it’s 100,000 U.S. persons. So if you’re meeting those bulk thresholds for the particular types of the data, you might be covered by the rule. So we’ve been looking at what types of data do our clients collect as a first step. In addition to the bulk U.S. sensitive personal data, there’s a second type of information covered, and that’s government-related data. That’s defined pretty specifically in the rule to be location data associated with government and military sites or data that’s marketed as linked to current or former government officials or contractors. So that’s relatively specific, but I think some people have lost sight of the fact that there is that government-related data piece here as well. So we’ve been looking at the data, and the real crux of this rule is regulating data transactions. So you may be collecting the types of data that are covered, but you are going to be subject to compliance under the rule if you’re engaged in a covered data transaction. So at a very high level, that means, you are somehow giving access to the covered data to somebody that is related to a country of concern. So you have to first look at the data, then look at the transactions that you’re involved in that might provide access to that data by somebody that’s covered under this rule.
Terry Gerton I’m speaking with Townsend Bourne. She’s a partner in the governmental practice at Shepard Mullins, Washington DC office. So Townsend, that’s a really helpful and clear description of what’s covered. What happens if organizations are not in compliance by today, the end of the grace period?
Townsend Bourne The grace period was meant to allow companies to engage in good faith efforts without DOJ enforcement. After July 8th, DOJ will be back in its normal enforcement mode, so companies that are not in compliance may face consequences. Under the rule, there are penalties anticipated, so there are potentially civil and criminal penalties for not complying with these rules that DOJ will begin to enforce across the board starting July 8th.
Terry Gerton And my understanding is there’s another deadline out there, October 6th, that companies have some ongoing obligations to be ready to meet in another 90 days.
Townsend Bourne The way that the rule was promulgated, it went into effect April 8th. And for restricted transactions covered by the rule, there are specific security requirements that CISA has put out with regard to this rule. So those security requirements, compliance with those expected by April 8, and now with the 90-day grace period by July 8th. The rule also built in extra time for companies to develop a data compliance program, and that’s where the October date comes in. That was already built into the rule that companies will have a little bit more of a runway to implement the full data compliance program contemplated by this rule.
Terry Gerton So I’m imagining if you’re one of these big companies that typically has this kind of data and these kinds of transactions, you know who you are. And there’s somebody on your staff that’s responsible for this. But are these rules now broader or do they cover more organizations so that companies who might not have been required to comply with this before now need to and they need to stay current with these kinds of rules?
Townsend Bourne At this point in time, most companies know if they’re going to be subject to this and they’re working to get to that data compliance program state. This rule is different. It’s not really structured as a privacy rule, although a lot of it does center around the types of data that we generally think about when we’re talking about privacy law. It’s actually been compared more to an export control law. So it’s regulating data that is going to covered countries and covered persons. So in that respect, this is a little bit new because it’s kind of in between those two areas of law. So it is pulling in companies, as you can imagine, in all different industries. We’ve seen a lot, as you can imagine, in the tech space and the health care space, so those types of companies are looking at this and getting into compliance. There are, I think, for a lot of those big companies, existing compliance structures that they can leverage to get to compliance here, so it’s not quite as heavy of a lift. For example, there’s a lot in the DOJ compliance guide about vendor due diligence and how big companies are already doing that, but you’re going to have to update your vendor due diligence practices in accordance with this rule. There are also some audit requirements here, so of course, big companies generally already have a pretty robust audit function. But they’ll have to add a little bit there as well to comply with this new rule.
Terry Gerton Does this portend, do you think, a new trend in how DOJ is going to be approaching these kinds of data security issues in the future that companies will need to stay tuned for?
Townsend Bourne We’ve always been concerned about foreign adversaries and access to data, but this rule is very clear that that is going to be a focus. Companies, like I said, are very attuned to privacy law at this point. It took us a little while to get there when we were first kind of figuring out how all that should work; now that’s pretty solid. I think this will be a little bit of a shift in mentality and you’ll have to build on your existing practices. And again, think about this not as a traditional privacy law. It is a little bit different because we’re talking about regulating your transactions, not necessarily how you handle data across the board.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
