The rash of recent data breaches at American firms prompted
an executive order from the Biden administration directing multiple federal
agencies, including the Department of Justice (DOJ) and the Consumer Financial
Protection Bureau (CFPB), to take steps to help protect Americans’ sensitive
personal information.
The directive seeks to address bad actors in countries of
concern and hold U.S.-based companies accountable for safeguarding consumers’
data.
The Biden administration directed the DOJ and the Department
of Homeland Security to work together to establish clear regulations and
heightened security standards for protecting Americans’ sensitive personal data
from being exploited by bad actors in countries of concern.
The directive also instructs the Departments of Health and
Human Services, Defense, and Veterans Affairs to ensure that federal grants,
contracts and awards are not used to facilitate access to sensitive health data
by certain foreign nations, including via U.S.-based companies.
“Companies are collecting more of Americans’ data than ever
before, and it is often legally sold and resold through data brokers,” the
Biden administration wrote. “Commercial data brokers and other companies can
sell this data to countries of concern, or entities controlled by those
countries, and it can land in the hands of foreign intelligence services,
militaries, or companies controlled by foreign governments.”
President Joe Biden has encouraged the CFPB to consider
using its existing legal authorities to protect Americans against U.S.-based
data brokers who illegally assemble and sell sensitive data, including that of
U.S. military personnel, according to the order. CFPB Director Rohit Chopra
issued a statement indicating the bureau plans to do just that.
“Today's executive order is a reminder of the urgent need to
protect the personal data of Americans,” Chopra said. “Corporate data brokers
are assembling and selling extremely sensitive data on all of us, including
U.S. military personnel, to foreign purchasers. The executive order calls on
the CFPB to utilize its legal authorities to provide greater protections. This
year, we will be proposing new rules to rein in these abuses that will
safeguard families and our national security.”
The DOJ’s National Security Division plans to issue an advance
notice of proposed rulemaking (ANPRM) categorizing the types of transactions
involving bulk sensitive personal data or certain U.S. government-related data
as outlined in the order, according to a DOJ press release. The agency is
seeking public comments on appropriate restrictions on data transfers and
restrictions on vendor, employment and investment agreements. Written comments
on the ANPRM may be submitted within 45 days on regulations.gov.
“Our adversaries are exploiting Americans’ sensitive
personal data to threaten our national security,” U.S. Attorney General Merrick
Garland said in a statement. “They are purchasing this data to use to blackmail
and surveil individuals, target those they view as dissidents here in the
United States, and engage in other malicious activities. This executive order gives
the justice department the authority to block countries that pose a threat to
our national security from harvesting Americans’ most sensitive personal data —
including human genomic data, biometric and personal identifiers, and personal
health and financial data.”
In February, the DOJ issued indictment charges against two
Russian nationals behind LockBit, one of the most active ransomware groups in
the world. LockBit has targeted more than 2,000 victims and received more than
$120 million in ransom payments, while making ransom demands totaling hundreds
of millions of dollars, according to the DOJ.
“For years, LockBit associates have deployed these kinds of
attacks again and again across the United States and around the world. Today,
U.S. and U.K. law enforcement are taking away the keys to their criminal
operation,” Garland said at the time. “And we are going a step further — we
have also obtained keys from the seized LockBit infrastructure to help victims
decrypt their captured systems and regain access to their data. LockBit is not
the first ransomware variant the justice department and its international
partners have dismantled. It will not be the last.”
The charges against LockBit were announced shortly after
BlackCat (also known as Alphv and Noberus) took credit for recent cyberattacks
on loanDepot
and Prudential. Recent cyberattacks on other large companies, such as Bank
of America, FNF Financial and First American punctuate concerns about the
need to be constantly vigilant of cybersecurity threats.