Preparing for Sensitive Personal Data Security Requirements

On April 8, a U.S. Department of Justice (DOJ) rule took effect that restricts the handling of U.S. personally identifiable information (PII), where companies or their employees, vendors or investors have touchpoints in China, Russia and other countries of concern.

Background and Key Provisions

The Final Rule,  published in December 2024, applies to “covered data transactions” that may enable “countries of concern” or “covered persons” to access bulk U.S. sensitive personal data or data linkable to U.S. Government or contractor personnel.

The term “access” means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive, in any form. This includes through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment, or software. DOJ clarified in the Final Rule that “access” is to be determined “without regard for the application or effect of any security requirements.” [28 CFR 202.201]

The Rule identifies three substantive classes of covered data transactions that would be prohibited:

1. Data-brokerage transactions with countries of concern or covered persons;
2. Data-brokerage transactions with any foreign person unless that person is contractually required to refrain from subsequent transactions with countries of concern or covered persons;
3. Any transaction involving bulk human ‘omic and biospecimen data, where the transaction may enable countries of concern or covered persons to access such data. Human ‘omic data is data related to the study of aspects of human biology – e.g., genomic, epigenomic, proteomic, transcriptomic and other profiles. [28 CFR 202.301-303, 224]

The Rule also identifies three classes of covered data transactions that would be prohibited unless they comply with CISA Security Requirements and related audit and compliance measures:

1. Vendor agreements (including agreements for technology services and cloud-service agreements);
2. Employment agreements;
3. Investment agreements – where the transaction may enable “countries of concern” or “covered persons” to access U.S. Sensitive Personal Data or Government-related Data. [28 CFR 202.401]

In a companion January 2025 release, CISA  published Security Requirements for Restricted Transactions, which are derived from practices defined in authoritative U.S. Government information security guidance, including the U.S. National Institute of Standards & Technology’s (NIST) Cybersecurity Framework, Privacy Framework, and Special Publication 800-171 rev 3, as well as the Cyber Performance Goals enumerated by CISA.

The Rule reflects a growing set of U.S. Government actions to address risks from technology touchpoints in adversary countries, starting with the first Trump Administration’s Executive Order 13873 on Securing the Information & Communications Technology Supply Chain and continuing through the Biden Administration.

What to Do About It

Corporate leaders should ensure sufficient visibility into their operations and understand activities likely to be impacted by the DOJ Rule, ensure implementation of CISA Security Requirements for any in-scope restricted transactions, and prepare for related compliance, audit, recordkeeping requirements, and certification requirements.

Visibility and Considerations

• Bulk U.S. Sensitive Personal Data and Government Data. Do we collect U.S. personal data elements articulated in the DOJ Rule, and in what quantity?

• Employment Agreements with Covered Persons. Are we planning to employ individuals who would be considered “covered persons” under the DOJ Rule – for example any foreign persons (not just citizens of countries of concern) who are primarily resident in countries of concern?

• Vendor Agreements. Are we planning to contract (or renew existing contracts) with vendors that would be considered “covered persons”? Are any of our vendor support staff primarily resident in countries of concern?

• Investment Agreements. Subject to the passive investment exemption discussed above, are we considering investment agreements that convey ownership interests to companies subject to the jurisdiction of a country of concern, or covered persons (even if the agreements expressly forbid access to bulk U.S. person PII)?

• Hong Kong & Macau. Have we scoped our China-related analysis to include not just mainland China, but also Hong Kong and Macau?

• Access to De-Identified US Bulk PII. If the nature of our business requires access to identity attributes, can we meet CISA Security Requirements for de-identification?

• System Architecture. Does our system architecture (e.g., Active Directory structure/ administration, database/server/endpoint administration, network connectivity and administration, application administration, help desk, ticketing, etc.) potentially enable access by covered persons (without regard to whether security controls have limited that access)?

Review Security Requirements. If necessary, do we have CISA Security Requirements in place, and if so, are they aligned to the spirit of the DOJ Rule?

Compliance. How would we validate adherence to compliance practices for any “restricted transactions,” including requirements for independent audits, record keeping and certification of compliance?

Adam Isles is principal and head of Cybersecurity. Services are aligned to The Chertoff Group Risk Management Framework, which focuses on assessing cybersecurity risk, applying mitigations driven by defined business priorities, and monitoring risks for consistency and durability.