Evolution of Threat Landscape Impacts Individuals and Small Businesses, White House Directive Indicates Shift
In a move to safeguard American data from foreign adversaries, the U.S. government has issued a new Executive Order (EO 14117) and its implementing Data Security Program (DSP). The key focus of these directives is to prevent the bulk transfer of sensitive personal data and U.S. government-related data to "countries of concern," such as China, Cuba, Iran, North Korea, Russia, and Venezuela.
Effective from April 8, 2025, the DOJ’s 2025 Final Rule prohibits or restricts "bulk" data transfers, defined by volume thresholds for various sensitive data categories. This rule extends to cross-border transfers, making businesses—including small and medium-sized enterprises (SMBs)—subject to compliance if they handle such data and transfer it potentially abroad.
The rule carries severe penalties for noncompliance, with civil fines up to $368,136 per violation or double the value of the transaction, and possible criminal charges with fines up to $1 million and imprisonment (up to 20 years in extreme cases). A 90-day grace period ended on July 8, 2025, after which enforcement is active, and by October 6, 2025, covered businesses must have conducted vendor risk assessments, set access controls, implemented CISA-level security standards, and maintained compliance records.
The executive order aims to prevent foreign adversaries from collecting sensitive data through various means, including the acquisition of businesses or manipulation of business relationships. It also highlights the potential security concern of countries of concern targeting SMBs for investment, vendor, and employment relationships to gain access to Americans' data.
The implications for SMBs are significant. They must audit and monitor their data flows and all third-party vendors to prevent unauthorized transfers to countries of concern. The costs and operational burdens include performing vendor risk assessments, strengthening security controls to federal standards, enhancing contractual agreements for data protection, and maintaining detailed compliance documentation.
Michael Kosak, a former Department of Defense counterterrorism intelligence officer and a senior principal intelligence analyst at LastPass, considers this order a welcome one. He emphasizes that the mere quantity of data has now taken on a quality all its own, making it a sought-after target for countries, as it can be used for blackmail, AI training and analysis, monitoring dissidents, identifying and tracking intelligence officers, medical research, among other purposes.
The executive order marks a significant tightening of U.S. cross-border data transfer regulation, particularly focused on sensitive and bulk personal data, with national security concerns overriding prior business practices or market assumptions about data transfers. It underscores the importance of being mindful of where and with whom you share your personal data to protect yourself and your business accordingly.
As the implementation of the executive order unfolds, we can expect to see more details emerging. The order serves as a reminder that we should all consider ourselves (and our data) potential targets on a much wider scale than just cybercrime. It is crucial to stay informed and take proactive steps to ensure data security and compliance with the new regulations.
- With the new Executive Order (EO 14117) and its implementing Data Security Program (DSP), the U.S. government is addressing privacy concerns related to sensitive data transfers, specifically aimed at preventing bulk transfers to countries of concern.
- The DOJ’s 2025 Final Rule, a part of these directives, restricts cross-border data transfers and extends compliance requirements to businesses, including small and medium-sized enterprises (SMBs), handling such data.
- Given the severe penalties for noncompliance, SMBs need to audit and monitor their data flows, all third-party vendors, and implement CISA-level security standards to prevent unauthorized transfers to countries of concern.
- As the executive order impacts various aspects of technology, policy-and-legislation, politics, and general-news, it serves as a reminder for everyone to be mindful of where and with whom they share their personal data to protect themselves and their businesses in the face of growing cybersecurity challenges.
