Operationalizing Compliance with the DOJ’s Rule For Bulk Transfers of Sensitive Personal Data

In 2024, President Biden issued an Executive Order directing the Department of Justice to regulate the transfer of US government data and bulk U.S. sensitive personal data to “countries of concern”  - China, Cuba, Iran, North Korea, Russia, and Venezuela - as well as to persons or corporations under their control.

The purpose of the Order is to prevent America’s adversaries from acquiring data that could be used for espionage, or to train A.I. models that might pose a threat to U.S. national security, or otherwise present a significant risk of harm to the interests of the U.S. government or American citizens.

The DOJ’s Data Security Program Rule achieves the Order’s purposes by prohibiting or restricting certain kinds of “covered transactions” - data brokerages, employment agreements, vendor agreements, and investment agreements - that involve bulk quantities of sensitive personal data belonging to certain defined categories. Generally speaking, the more sensitive the data, such as genomic or biometric data, the fewer instances are required to be considered “bulk.” 

Both the Order and the Rule make clear that their purpose is not to impose a general data localization requirement such as we’ve seen in countries like China and Russia. While some transfers are prohibited, restricted transactions may go forward so long as data controllers have put in place adequate data security and governance controls, and clarified downstream privacy and security requirements for third party processors via safeguards like specific contractual clauses.

Nor is the intent to burden legitimate commercial or scientific exchange. Most transfers of PII or financial data will likely fall into the exception for normal business transactions, for example. Nevertheless, the government expects organizations involved in covered transactions to “know their data,” and to “have awareness of the type and volume of their data.” That’s where DSPM becomes essential.

Understanding Cyera’s Data Discovery and Classification Capabilities

Cyera’s AI-native Data Security Platform discovers your organization’s data across SaaS, PaaS, IaaS, and DBaaS datastores, as well as on-prem resources. You’ll see how many datastores you have, how many records per datastore, where the data subjects of those records reside, and who has access. And Cyera’s agentless deployment means you’ll get this visibility into your data ecosystem within minutes, not months.

Moreover, Cyera’s classification engine comes with pre-trained classifiers aligned to most major regulatory frameworks, allowing it to tag personally identifiable information (PII), personal health information (PHI), and various categories of personal financial information such as credit card and bank account numbers. Contextual insights include identifying information  like the region where a datastore is located or the residency of data subjects. 

In addition to its out-of-the-box classifiers, Cyera’s DSPM can also learn data categories unique to your organization. On average, 20 to 40 percent of our customers’ data belongs to one of these learned classifications, including everything from PII like “Employee ID” to valuable IP like “product formulas” or “recipes.”

While Cyera’s AI can likely learn the most important data categories for your organization, our customer success engineers are ready to help you develop custom rules if necessary to ensure you get the most value possible from your deployment. Between out-of-the-box and learned classification methods, and our flexible policy engine, nearly every important commercial and regulatory use case is covered. Compared to manual efforts, Cyera delivers visibility and precise classification far more quickly and at significantly lower cost.

Beyond Insights: Remediation and Validation

But Cyera also gives you control. It monitors your data ecosystem for new datastores and new users. It identifies risky users with excessive permissions, or stale users whose accounts should be deprovisioned. It keeps tabs on permission creep and over-sharing, and by identifying the residency of your users from “countries of concern”, can help you comply with the DOJ Order and Rule.

Not only can you explore and see who has access to your data within the Cyera platform, but you can define policies to alert when a critical number of records of a certain data category   (“Personal Financial Data”, for example) are discovered in a datastore accessible by users based in a particular region or country. More importantly, Cyera lets you turn those alerts into action, integrating with your workflow tools and facilitating automated remediation. It can also send notifications directly to relevant stakeholders (e.g., privacy, security, compliance)  via email or Slack, with instructions for manual remediation.

Cyera can generate audit logs and reports, making it easier to document the scope of transactions  that prompted an analysis and remediation actions taken for DOJ compliance purposes.  If called upon by federal regulators, you can leverage Cyera’s auditing and reporting capabilities to attest to the amount and location of sensitive personal data in your data ecosystem, as well as your efforts to limit or remove access to your data by users located in countries of concern.

Compliance can often feel like a daunting task, but meeting the demands of the Data Security Program Rule doesn’t have to take a Herculean effort. The DOJ wants organizations to know their data and keep it secure. At Cyera, that’s literally our mantra. And with the visibility and control afforded by Cyera, it’s never been easier. To learn more, request a demo today at Cyera.com. 

‍