The US Department of Justice (DOJ) is swiftly moving to enforce the new cybersecurity Executive Order (EO) signed on February 28, 2024. The EO, aimed at enhancing Americans’ data security, will come into effect next year. The DOJ has already begun key actions, including initiating a notice and comment process, developing enforcement and compliance regulations, and expanding staffing and resources. This expansion involves adding new attorneys and non-attorneys, creating a larger FIR Compliance and Enforcement Unit, and appointing a new Deputy Chief for National Security Data Risks.
Assistant Attorney General Matthew G. Olsen has emphasized that the new regulations will be robust, with a full range of civil, criminal, investigatory, and subpoena authorities. The DOJ plans to prioritize voluntary compliance, expecting companies to implement risk-based compliance programs tailored to their individual profiles. This approach involves assessing a company’s size, sophistication, products and services, customer base, and location.
To prepare for the upcoming regulations, companies should start by gaining a comprehensive understanding of their data landscape. This includes cataloging all sensitive data, ensuring it is properly protected through encryption and security measures, and managing external data sharing with appropriate agreements. Companies must also monitor data access continuously, particularly for high-risk employees and third-party service providers.
Moreover, tracking data transactions and scrutinizing interactions with third-party data brokers is essential. Companies should ensure their contracts with third parties include strong security provisions and allow for immediate termination of access when necessary. Implementing these measures will help companies build a solid compliance program to meet the DOJ’s new requirements and safeguard against data breaches.
Reference:
