New federal guidelines involving data transactions outside of the US could put companies of all sizes at risk. The Data Security Program, or DSP, under the National Security Division of the US Department of Justice, restricts certain bulk data transactions involving sensitive or personal user data–both for regular US citizens and US government data–with companies based in or majority-owned by six countries of concern, China, Iran, North Korea, Russia, Venezuela and Cuba. The regulations and prohibitions went into full effect October 6.
Zachary Myers, co-chair of McCarter’s Cybersecurity and Data Privacy group and former US Attorney for the Southern District of Indiana noted that this is the first time the US has instituted a broad, nationwide data privacy regulation. He said, “Companies that have never had to think about these sorts of things and thought that they were doing everything right in terms of even complying with existing privacy laws” could be affected, “I worry that a lot of people … are going to be caught by surprise and potentially facing some significant scrutiny and enforcement liability.” Zach went on to describe the new regulations as “essentially export controls for the date of either large numbers of US persons or of the US government and its personnel.”
To ensure compliance with the DSP, Zach encouraged companies to do their due diligence—learn about the law, understand what data they collect, where it’s stored and how it’s used and learn as much as you can about the companies they contract with. “You have the requisite data and you engage in a covered transaction with that data, and you might think you did it the right way, that you got the consent of the customer, you gave them notice, you sent the data in an encrypted form, even anonymized form to a vendor that you had covered with a contract,” he said. “But depending on the specifics there, you may still have fun afoul of these new regulations.”