The US Justice Department on Monday announced it is seeking public input on a proposed rule designed to reign in foreign adversaries who are freely collecting Americans' private data by the boatload.
The proposal – “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern – was first introduced by Executive Order signed by President Joe Biden back in February.
The DoJ has officially introduced a Notice of Proposed Rulemaking (NPRM) with the goal of finally implementing the rule, but only after set period of 30 days allowing the public to voice its opinion on the proposal.
The administration warns that “countries of concern,” such as China and Russia, can use their access to the bulk personal data of Americans “to engage in malicious cyber-enabled activities and malign foreign influence.”
Other nations identified by the DoJ include Iran, Venezuela, Cuba, and North Korea.
Federal officials say the sensitive information could be used to target certain individuals, such as US military members, federal employees, and US contractors.
Gathering personally identifiable information (PII) on such individuals to track locations or build profiles could lead to blackmail or espionage, the DoJ said, adding that foreign adversaries could also use the bulk data to “collect information on activists, academics, journalists, dissidents, political figures, and marginalized communities."
Furthermore, the 'collected data profiles' could be used to intimidate or threaten those persons to curb political opposition or tamp down on civil liberties and other freedoms of expression.
Justice Department Issues Comprehensive Proposed Rule Addressing National Security Risks Posed to U.S. Sensitive Data
undefined National Security Division, U.S. Dept of Justice (@DOJNatSec) October 21, 2024
🔗: https://t.co/M4s8KVl4kr pic.twitter.com/liJ6xa3v6u
The DoJ ‘s National Security Division said it is working concurrently with the US Cybersecurity and Security Infrastructure Agency (CISA), which has further developed a slew of cybersecurity requirements covering not only the restricted data itself, but also the transactions under which that data would be processed.
“These proposed security requirements comply with organizational and system-level requirements, including implementing basic organizational cybersecurity policies, practices, and controls, and data-level requirements, such as data minimization and masking, encryption, and privacy-enhancing techniques,” the CISA document states.
According to the Executive Order (E.O.) 14117 under the DoJ, the rule would:
- Establish categorical rules for certain data transactions
- Identify classes of prohibited and restricted transactions
- Identify countries of concern
- Identify classes of covered persons
- Identify classes of exempt transactions
For example, certain types of data covered under the transfer ban to 'nations of concern' would include human genomic data on over 100 Americans, personal health or financial data on over 10,000 people, and precise geolocation data on over 1,000 U.S. devices, according to Reuters.
Other processes to be established include a detailed explanation of the DOJ’s methodology for establishing bulk thresholds, assessing the potential economic impacts of the rule, and addressing compliance, reporting, and other due-diligence obligations for covered transactions., the DoJ announcement stated.
Third party vendor, employment, and investment agreements would all be covered under the proposed rule, and non-compliant entities would be subject to both civil and criminal penalties.
The DoJ said it has also reached out to industry stakeholders, such as trade association groups, subject-matter experts, and private cybersecurity organizations to weigh in on the details, and previous public comments from this spring.
The public can submit written comments online for 30 days, once the proposed rule is published in the Federal Register, the DoJ said.
Your email address will not be published. Required fields are markedmarked