The Matrix
{ Blog Post Bio Photo }

Understanding National Security Implications of Sensitive Data

Posted by

Business transactions, management changes or investments involving non-U.S. companies or individuals receiving control or information rights to U.S. companies are subject to review by the U.S. government for national security purposes. There is a particular concern if any sensitive individual or government data is held by the U.S. company.  U.S. companies holding sensitive data should consider whether their business may be subject to CFIUS review prior to entering any investment or engaging in M&A activities.  

The CFIUS review process considers any national security threat posed by a foreign person, the extent to which a particular U.S. business could influence national security, and any potential national security issues that could be exploited as a consequence of a particular business transaction.

Whether (or not) a buyer or investor is deemed to be a foreign person typically involves a fact-based analysis regarding the business and its ownership structure. A particular concern is whether the purchaser or investor is, or has significant minority investment by, a foreign government. Additional considerations include whether there are any other shareholder arrangements between the parties who comprise the entity.  While passive investment transactions require a minimum investment amount to be subject to the FIRMMA regulations, any control or information rights granted to investors can be subject to CFIUS scrutiny.  Additionally, CFIUS has broad authority and can consider any scenario in which ownership, control or information rights is granted to, or could be asserted by, a non-U.S. person or entity. For example, this can include management arrangements, or significant customer or vendor relationships.

Assuming there is a foreign buyer or investor, CFIUS is authorized to review any merger, acquisition, partnership, joint venture, investment or takeover which results in:

  • foreign control of a U.S. business,
  • foreign access to sensitive information in the possession of a U.S. Business,
  • foreign rights in, or involvement in the substantive decision-making of certain U.S. businesses related to critical technologies, critical infrastructure, or sensitive personal data, or
  • foreign ownership of property in close proximity to sensitive or strategic U.S. locations.

In most scenarios, CFIUS review is voluntary; however, CFIUS review is mandatory in some situations, most notably where there is an emerging technology developed at the U.S. business and/or where the foreign purchaser or investor is a foreign government.  Notably, there is no statute of limitations for CFIUS review.  While CFIUS review is typically thought of as a pre-closing consideration, CFIUS is also authorized to review any “non-notified” transaction, meaning any transaction which was not submitted for notice or any other transaction, transfer, agreement, or an arrangement which was structured to evade or circumvent CFIUS authority.  Failing to obtain a CFIUS review when such review was required can result in significant penalties, up to the value of a business transaction, and/or the unwinding of a deal (even years after the fact).

Certain types of businesses are subject to mandatory CFIUS reviews, including businesses holding sensitive data.  This includes both technical sensitive data otherwise controlled under ITAR or export control regulations, as well as numerous kinds of individual sensitive data. Under the Treasury regulations, sensitive personal data includes:

  • data from products or services that target U.S. agencies or military departments, their personnel or contractors;
  • financial data that could be used to determine an individual’s financial distress or hardship;
  • S. government data;
  • geolocation data;
  • non-public electronic communications data;
  • data concerning government security clearance status or used in an application for security clearance;
  • data relating to the physical, mental or psychology health condition of an individual (notably, not just data that would otherwise be protected by HIPAA), and
  • biometric enrollment data.

While the Treasury regulations set a data threshold at more than one million individuals over a twelve month period, the various types of individual data held by a U.S. company can be aggregated to calculate whether the one million individual threshold has been met. Additionally, the data threshold can include all data that is currently retained from past customers if the company maintains such data under a data retention policy.  Regulatory commentary notes that utilizing current industry data protection standards, such as the National Institute of Standard and Technology or International Organization for Standardization frameworks does not categorically exempt a U.S. business from CFIUS review.

CFIUS has previously stepped in to unwind transactions that involved social media, sensitive data and foreign investors.  For example, CFIUS has blocked or unwound foreign investment or takeover of U.S. businesses with sensitive personal information including HIV status (Grindr), financial services heavily used by members of the U.S. military (MoneyGram), and a healthcare-focused social media site (PatientsLikeMe).

As the deal frenzy continues, purchasers, sellers and companies should each carefully scrutinize whether a target company holds the types of data described in this article and whether to seek CFIUS approval for a transaction.

Jump to Page