Understanding President Biden’s Executive Order on Sensitive Personal Data

By Zasio Staff posted 05-23-2024 04:44


This article first appeared on

By Frank Fazzio

On Feb. 28, 2024, the Biden administration issued a new executive order fortifying protections for the sensitive personal data of Americans and mitigating the risk of exploitation by foreign adversaries. This directive holds substantial implications for global enterprises, particularly those with extensive international operations.

Under the EO, key government departments, including Justice, Homeland Security, Health and Human Services, Defense, Veterans Affairs, and the Consumer Financial Protection Bureau, are tasked with executing various provisions of the order. These provisions encompass regulating access to government-related data, establishing security standards to prevent unauthorized dissemination of Americans’ data, and mandating federal contractors and grant recipients safeguard data from certain nations.

In light of the EO, companies should anticipate guidelines and standards governing the processing, transfer, and security of sensitive personal data types such as genomic, biometric, health, geolocation, and financial data. Entities involved in data brokering or bulk data aggregation with overseas transfers may face substantial operational impacts.

The significance of preventing sensitive personal data proliferation cannot be overstated, especially concerning Americans’ financial security. Sensitive data often enables cybercrimes, including scams and theft. The broader the availability of information, the more avenues for exploitation exist for malicious actors to harm individuals or entities.

Although China and Russia are highlighted as key countries of concern, the global reach and intricate commercial and political networks of these nations imply that the effects of the order will be impactful on a wide geographic scale.

Organizations should proactively prepare to update their information management programs, IT security controls, contracts, procurement processes, and data transfer protocols once the regulations are finalized. For instance, security audits and penetration tests can spot system vulnerabilities. Program maturity assessments help understand deficiencies that, once resolved, free up resources for future challenges. Information collection initiatives identify personal data assets and cross-border data transfers that could face new regulations. Regular maintenance of recordkeeping and information management policies makes future updates more efficient and less disruptive.

By taking steps to strengthen their information governance programs and integrate personal data management into policies, programs, and processes, organizations can better protect the sensitive personal data of their customers, employees, and stakeholders, better ensuring robust protection against emerging threats and regulatory requirements.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.