• US DoJ issues final rule on Executive Order Executive Order 14117
• Large transactions of US citizen data to hostile nations will be banned
• Ban will protect US national security by prevent US citizens from being targeted en mass in cyber espionage and foreign influence

The US Department of Justice has issued a final rule on Executive Order 14117, which President Joe Biden signed in February 2024, preventing the movement of US citizens’ data to a number of “countries of concern”.

The list of countries consists of China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela, all of which the DoJ says have “engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of U.S. persons.”

It added these nations could, “access and exploit Americans’ bulk sensitive personal data and certain U.S. Government-related data.”

No US data for hostile nations

The final rule will come into effect in 90 days, with Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division stating, “This powerful new national-security program is designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access.”

The Executive Order is aimed at preventing countries generally hostile to the US from using the data of US citizens in cyber espionage and influence campaigns, as well as building profiles of US citizens to be used in social engineering, phishing, blackmail, and identity theft campaigns.

The final rule sets out the threshold for transactions of data that carry an unacceptable level of risk, alongside the different classes of transactions that are prohibited, restricted or exempt. Companies that violate the order will face civil and criminal penalties. The types of prohibited data are:

1. Certain covered personal identifiers (e.g., names linked to device identifiers, social security numbers, driver’s license, or other government identification numbers)
2. Precise geolocation data (e.g., GPS coordinates)
3. Biometric identifiers (e.g., facial images, voice prints and patterns, and retina scans)
4. Human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic)
5. Personal health data (e.g., height, weight, vital signs, symptoms, test results, diagnosis, digital dental records, and psychological diagnostics)
6. Personal financial data (e.g., information related to an individual’s credit, debit cards, bank accounts, and financial liabilities, including payment history)

The DoJ also outlined the final rule does not apply to “medical, health, or science research or the development and marketing of new drugs” and “also does not broadly prohibit U.S. persons from engaging in commercial transactions, including exchanging financial and other data as part of the sale of commercial goods and services with countries of concern or covered persons, or impose measures aimed at a broader decoupling of the substantial consumer, economic, scientific, and trade relationships that the United States has with other countries.”

Via The Hacker News

You might also like

• Here are the best antivirus software services
• Take a look at our roundup of the best password managers
• UK Government reveals all on its new bid to boost AI Security Research