DOJ Data Security Rule Has Ticking Clock for Companies to Comply

Companies that want to avoid breaking a new Department of Justice rule about how to store and use personal data are running out of time to ensure compliance by July 8.

Violations can carry significant civil and even criminal penalties. US firms are now realizing they must amend contracts, update computer networks, and revise their protocols for handling data.

The data security program’s new rule restricts—and in some cases prohibits—US companies from sharing bulk sensitive personal data with persons from China, Russia, Iran, and other countries identified as foreign adversaries. The rule is considered a “critical national security program,” according to the DOJ.

While the rule took effect on April 8, DOJ won’t prioritize enforcement for the first three months if a company is engaged in “good faith” efforts to comply. US companies should use this limited grace period (through July 8) to see how the rule applies to their operations and take appropriate steps to comply.

First, companies should review internal datasets and datatypes to determine if they are potentially subject to the rule. Sensitive personal data includes human genomic data, biometric data, precise geolocation data, personal health data, personal financial data, and covered personal identifiers.

Companies also should review whether they hold government-related data, including precise geolocation data for certain government-related locations or sensitive personal data that is marketed as linked to certain current or former US government employees.

Given the expansiveness of these categories, this undertaking may require a considerable amount of time and a holistic review of a company’s datasets and datatypes. The rule can cover a customer’s payment history (as a type of personal financial data) or a combination of an account name and password (as a type of covered personal identifier).

The categories also may be broader than they appear. For example, personal health data includes not only information collected by a doctor but also, as DOJ noted, “logs of exercise habits” which “could be collected by fitness apps.” If the company holds sensitive personal data, it should assess whether the data reaches the “bulk” thresholds established in the rule, which differ based on the type of data at issue.

Second, if a company has regulated data, it should review whether it may be engaged in a “data brokerage” agreement with any covered persons.

Subject to certain exceptions, the rule prohibits the sale of the regulated data to a covered person as well as “licensing of access to data, or similar commercial transactions” that provide a covered person with access to regulated data.

That means an array of data-sharing agreements—whether for research or as part of a joint venture—are prohibited and should be remediated promptly.

Third, if a company has regulated data, it should review whether it is engaged in a data brokerage agreement with any other foreign company or person—not just companies from China, Russia, and Iran.

The rule requires a US company engaged in a data brokerage agreement with all foreign persons (no matter where) to include a contractual provision under which the foreign person agrees not to provide a covered person with access to the regulated data.

In effect, this limits the ability to resell access to the data. The DOJ recently published a compliance guide that includes template contractual language. For these transactions, the US company is required to report any suspected violations to the DOJ.

Fourth, if a company has regulated data, it should review whether it may be engaged in a vendor, employee, or investment agreement that provides any covered persons with access to the regulated data.

Subject to certain exceptions, these types of transactions, while not prohibited outright, are subject to certain restrictions designed to protect the data. For example, these transactions must be conducted in compliance with organizational-, system- and data-level security requirements established by the Department of Homeland Security.

Additionally, the US company will need to develop a data compliance program that includes a written compliance policy and a training program, and meets certain due-diligence, auditing, and reporting requirements. If a company intends to continue with these restricted transactions, it may need to renegotiate agreements to comply with these requirements.

Fifth, companies should consider engaging with the DOJ to obtain guidance about how to move forward. These rules can be complex to apply to particular fact patterns, and the DOJ has noted that “specific facts may alter an analysis” depending on the scenario.

The DOJ has encouraged informal inquiries before July 8, and it has a process for advisory opinions and specific licenses, but noted it generally won’t review these before July 8.

Companies have less than two months to complete the compliance process. This could involve an extensive review, and the DOJ expects companies to undertake the process, as appropriate, of amending or renegotiating existing contracts that don’t meet the rule’s requirements.

Given the significant civil and criminal penalties involved—up to $1 million in fines and 20 years in prison—US companies should act swiftly to review their exposure to these new requirements and come into compliance with the rule if they fall within its scope.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

John Carlin is a partner at Paul Weiss and co-chair of its cybersecurity & data protection practice group.

Rush Atkinson is a partner at Paul Weiss and a member of its cybersecurity and data protection practice group.

Samuel Kleiner is counsel in Paul Weiss’ litigation department.

Write for Us: Author Guidelines