The Biden administration has proposed new rules aimed at regulating the transfer of sensitive data, including biometric information, to adversarial nations such as China and Russia. The rules seek to curb the potential exploitation of American financial, biometric, and other sensitive personal data by foreign actors who may use it to harm U.S. interests.
Under these new guidelines, there are strict limitations on the volume of sensitive data that can be transferred to companies and individuals in six designated countries: China, Russia, Iran, North Korea, Venezuela, and Cuba. The most stringent restrictions apply to biometric and genomic data, which are particularly valuable in the context of national security. For example, U.S. companies will not be allowed to transfer more than 100 Americans’ biometric or genomic data over any 12-month period to any of these nations. Biometric data is seen as posing a high risk if acquired by foreign actors, as it could be used to track individuals or compromise secure authentication systems.
The rules are especially focused on preventing data brokers from selling sensitive information, including biometric data, to entities in these adversarial countries. Data brokers have been identified as a significant vulnerability, with many selling personal data on the open market without sufficiently understanding how it might be used once transferred.
The Biden administration is positioning these restrictions as essential for national security, citing the growing capabilities of artificial intelligence and big data analytics among its adversaries. With AI, foreign entities could enhance their ability to process and exploit biometric data to build comprehensive profiles of individuals, potentially enabling espionage or the targeting of national security leaders.
Businesses handling American biometric data will need to ensure compliance with these proposed regulations, including record-keeping and reporting requirements. They will also need to adopt stricter cybersecurity measures aligned with existing National Institute of Standards and Technology (NIST) frameworks, focusing on encryption, data minimization, and access control.
Companies failing to meet these requirements could face civil and criminal penalties, marking a significant shift in how the U.S. government intends to safeguard its citizens’ biometric and personal data from foreign exploitation.
Commenting on the new rules, James Joyner, a Professor of Security Studies at Marine Corps University’s Command and Staff College, expressed skepticism.
“Many if not most of the companies involved are multinational,” he wrote. “If their data is available in any number of non-US countries who don’t have similar laws, US law won’t protect said data.”
Joyner added that “these governments are unlikely to purchase the data directly rather than through a stalking horse. For that matter, China, Russia, and Iran have elite level hacking capabilities, so they can likely get it without purchasing it.”
The Biden administration’s proposal of these new rules does not involve legislation passed by Congress but is part of the executive branch’s regulatory process. By issuing an executive order and directing federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) to draft and enforce these regulations, the White House is using its existing authority to push these proposed rules through a formal process, including a public comment period, in which feedback will be considered before the regulations are finalized and enforced.
Sources: The Record, Outside the Beltway
–
October 22, 2024 – by Cass Kennedy
Related News
U.S. Commerce Dept. Bans Use of Kaspersky Cybersecurity Products
DHS Extends RFI Deadline for Biometric Identity Research and Development Project
CISA Proposes ‘Cyber Incident Reporting for Critical Infrastructure Act’
Big New Appointments at the Pentagon and the STA – Identity News Digest
Healthcare Biometrics in the Spotlight – Identity News Digest
Proposed UK Data Protection Amendments Touch On Police Biometrics
Follow Us