The DOJ's new data security program imposes significant compliance obligations on companies handling sensitive personal or government-related data, with a critical deadline approaching in early October. Sheppard Mullin partner Townsend Bourne outlines how compliance leaders can meet national security mandates and reduce the risk of criminal and civil penalties.
Is your business ready to comply with the full scope of the DOJ's new data security program (DSP)? If not, steep civil and even criminal penalties could be heading your way.
The new framework, which went into effect in April, imposes controls to prevent Americans' sensitive personal information and other governmentrelated data from falling into the hands of foreign adversaries. Companies that collect and share this information in sufficient volumes are subject to the DSP's requirements — and the risk of consequential enforcement actions and fines.
Key prohibitions and restrictions on data transfers are already in place. But time is running out for companies to implement additional compliance obligations like audits, internal controls, reporting procedures and program due diligence ahead of the final Oct. 6 deadline.
A new framework for data security
The DOJ's new program focuses on transactions involving bulk sensitive personal data or government-related data, from data brokerage and vendor agreements to employment or investment agreements. Companies are generally barred from transacting in a way that would allow individuals on the National Security Division's covered persons list or countries of concern (e.g., Russia, China, Iran, North Korea, Cuba and Venezuela) from accessing this information.
Covered data types include the genomic information, precise geolocation data and personal health or financial information of US persons, with varying volume thresholds for triggering DSP requirements. The DSP's requirements even cover transactions where the bulk data has been anonymized, aggregated or encrypted.
For example, the DSP covers situations where a US company hires an individual in a country of concern to help develop a new AI tool and, as a result of this employment, the individual has administrator rights to access and download bulk quantities of personal data. It also would apply to a US company that develops mobile games that collect bulk precise geolocation data and that contracts part of its software development to a covered person, allowing access to the bulk data. Other covered scenarios include appointing an individual in a country of concern to a US company's board of directors, which would allow the individual access to bulk personal financial data or engaging a foreign private equity fund located in a country of concern to provide capital for construction of a data center in the US.
While many companies have focused on the sensitive personal data requirements, it's important to remember that the DSP also regulates transfers involving precise geolocation data for any location on the government-related data list (included in the new DOJ regulations), as well as sensitive personal data marketed as linked or linkable to current or recent former US government personnel or contractors, regardless of volume.
Additionally (and unconventionally), companies are required to make a report to the DOJ within 14 days of receiving and rejecting an offer to engage in a prohibited transaction involving data brokerage. The report should include information about the individuals requesting the transfer, the types and volume of data requested, the proposed method of transfer and accompanying documentation.
Further, as outlined in the DOJ's FAQ, there are a number of exemptions to these restrictions for specific situations, such as routine corporate group business transactions with affiliate companies overseas or certain kinds of routine financial services transfers. Still, companies that may engage in restricted transactions need to put heightened security measures in place to avoid willful violations, which could bring criminal penalties of up to $1 million in fines and two decades in prison.
Originally published by Corporate Compliance Insights
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
