Draft CFIUS Rules on Personal Data Mean 'More Thinking and Planning' for Data Risks
The law expands jurisdiction of the Committee on Foreign Investment in the U.S. over transactions involving businesses with data on individuals that "may be exploited in a manner that threatens to harm national security."
October 08, 2019 at 03:00 AM
8 minute read
The original version of this story was published on Corporate Counsel
Proposed regulations for national security reviews of deals involving foreign investments in U.S. companies that store large amounts of "sensitive personal data" will likely mean scrutiny of many more transactions than before, lawyers said.
Given the definition of "sensitive data" under the draft rules, insurance companies, especially those insuring government personnel; biotech, health care and health technology companies; and those with data-driven business models are likely to be swept up, experts said. The law expands jurisdiction of the Committee on Foreign Investment in the U.S. over transactions involving businesses with data on individuals that "may be exploited in a manner that threatens to harm national security," according to the text of the draft regulations.
"This will be a big thing for companies that are data-centric," said David Hanke, a partner at Arent Fox in its international trade and national security practice. "More thinking and planning on their part will be needed up-front to understand the potential risks."
The draft rules were issued by the U.S. Department of the Treasury last month as part of a huge package of proposed regulations implementing the Foreign Investment Risk Review Modernization Act, which was enacted last year with bipartisan support in Congress. They expand the scope of reviews by CFIUS, the interagency panel chaired by the Department of the Treasury secretary that examines investment in U.S. companies for potential national security risks, which historically centered mainly on military and strategic-related technologies and infrastructure.
Lawyers said the draft regulations would require companies and their lawyers to think carefully about how to structure deals involving sensitive data, such as whether to allow foreign investors to provide input into certain types of decisions, or to play roles that could trigger CFIUS's jurisdiction, and whether it would be prudent to voluntarily file for a CFIUS review even when one is not mandatory. Agencies such as the Defense and Justice departments increasingly are reviewing deal announcements for potential conflicts, one said.
Brian Egan, a partner at Steptoe & Johnson LLP in Washington, D.C., said, "We are going to see more clients who inadvertently undergo investments where they don't realize this new CFIUS requirement could be triggered. We are going to have more after-the-fact questions from companies that didn't know an investment was within CFIUS's jurisdiction, and just got a letter from CFIUS and ask, 'What do we do?' This will lead to more filings with CFIUS."
The draft rules were released on Sept. 17 with a shorter-than-usual 30-day comment period during which stakeholders can make written statements about the rulemaking's impact. Final regulations will be issued early next year.
The 300-plus-page document, which had an additional 135-page section on draft rules governing real estate transactions, lays out a definition under FIRRMA of "sensitive personal data," which is different from, but overlaps, personally identifiable information, or PII, referenced in other federal statutes. There are 11 expansive categories of data covered in the regulation.
But the law is narrowly tailored to cover only transactions with specific features, such as where a foreign person gets a board seat, or is involved in substantive decision-making about how a U.S. company will use the personal data, Hanke said.
Some recent examples of transactions that prompted CFIUS reviews where sensitive data was an issue include:
- China Oceanwide Holdings Group Co. Ltd.'s acquisition of Genworth Financial Inc., which CFIUS approved last year with mitigation, and which received necessary approvals from state regulators but has not yet closed with the deadline extended until Dec. 12.
- Beijing Kunlun Tech Co. Ltd.'s agreement in May to divest from the gay dating app Grindr under orders from CFIUS with a June 2020 deadline, which was a rare example of the committee ordering the unwinding of a completed deal. Kunlun acquired the app, which includes geolocation data and HIV status data, between 2016 and 2018 without submitting an application for review to the panel, according to Reuters.
- CFIUS's demand that Fosun International Ltd. divest from Wright USA, an Ironshore Inc. unit that served federal employees and law enforcement personnel, as a condition of receiving approval for its $1.83 billion bid for full ownership of the private equity-backed property and casualty insurer in 2015. Ironshore ultimately was sold off to Liberty Mutual Holding Co. in 2017.
Under the draft regulations, CFIUS jurisdiction is expanded to include review of not just controlling investments by foreign investors, but also minority, noncontrolling investments in certain businesses that the agencies deem of interest to national security. "It has brought CFIUS more into the mainstream of equity investment than it was when I was in the Treasury Department several years ago," Egan said.
They introduce a mandatory filing requirement for transactions where a foreign government has a "substantial interest" in a foreign entity that acquires a "substantial interest" in a U.S. technology, infrastructure or data business.
|Definition of Sensitive Data Under Draft Rules
A U.S. business that keeps or collects personal information on U.S. citizens would qualify as a technology, infrastructure or data business covered by the FIRRMA if the data includes genetic information; or if the data is in one of 10 categories of identifiable data that can be used to establish a U.S. citizen's identity and the business tailors products or services to the military or sensitive U.S. government agencies or intends to maintain data on more than 1 million individuals.
Categories of data covered by the proposed regulations include PII that could be used to determine financial distress, consumer credit reports, physical health and mental health data, geolocation data, biometric enrollment data and data concerning U.S. government personnel security clearances. Identifiable information includes names, addresses, email addresses, Social Security numbers and phone numbers or other unique identifiers. Genetic information is a separate category.
The rules don't cover data that is a matter of public record such as court records, or data collected by U.S. businesses on its own employees unless they are government contractors holding U.S. government security clearances.
CFIUS lawyers said the new rules under FIRRMA aren't likely to end with a change of administrations, as could be the case with some trade tariff and sanctions-related work. But they expect that some rules would be amended and updated over time as the agencies receive feedback. The sensitive data rules are most likely to be updated regularly because the nature of data and its uses change quickly, said Hanke, who was a staff architect of the legislation as a professional staff member in the U.S. Senate.
The lawyers also said high demand for lawyers with expertise in the formerly niche field probably would continue as a result of increased need to file applications with the committee.
"It is likely that as law firms see more demand, we are going to make sure we have the resources to meet those demands and it seems like there is no sign that demand is going to go down anytime soon," said Egan, who most recently served as a State Department legal adviser in the Obama administration and joined Steptoe in 2017.
Hanke said lawyers with direct experience with CFIUS will have an advantage because the confidentiality rules surrounding the secretive agency mean there is "no book of precedent" and the committee's proceedings are not widely discussed.
"You have to have direct experience to understand the thought processes," he said.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Sterlington Brings On Former Office Leader From Ashurst
- 2DOJ Takes on Largest NFT Scheme That Points to Larger Trend
- 3Arnold & Porter Matches Market Year-End Bonus, Requires Billable Threshold for Special Bonuses
- 4Advising 'Capital-Intensive Spaces' Fuels Corporate Practice Growth For Haynes and Boone
- 5Big Law’s Year—as Told in Commentaries
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250