Skip to the main content.
Making screening easy for candidates

CVC - Mega Menu-01

With Verified Credentials' mobile-first candidate experience, you meet candidates where it's most convenient. Learn how easy we make it.

See how it works ›

Featured resource

Adverse Action Guide_Menu

Gain clarity about your compliance responsibilities with our new Adverse Action Guide! Use the interactive map to learn what regulations apply in your area.

Visit the guide ›

Verified Credentials is a leading background screening company. Since 1984, we’ve helped validate and secure relationships through the use of our comprehensive screening solutions. We offer a wide variety of background checks, verifications, and innovative screening tools.

Get to know us ›

Accredited background screening solutions

Logo-PBSA-Accreditation-120x98

Our accreditation confirms that our policies, processes, and employee training meet rigorous industry compliance standards.

Learn about our solutions ›

2 min read

Executive Order to Protect Sensitive Bulk Data in the U.S.

President Biden issued Executive Order 14117 on February 28, 2024, to address the threat of certain countries of concern accessing or misusing bulk American sensitive data. As a result, the order directly impacts data handling practices within organizations.

 

The order expands on the 2019 Executive Order 13873, Securing the Information and Communications Technology and Service Supply Chain. The original Executive Order addresses the "unrestricted acquisition or use of information and communications technology by foreign adversaries."

 

What is Executive Order 14117?

The primary goal of Executive Order 14117 is to limit access to Americans' sensitive personal data and US Government-related data to "countries of concern". The order authorizes the Attorney General to prevent the large-scale transfer of Americans' personal data. It notes that the development of artificial intelligence (AI) capabilities and algorithms exacerbates the risks of bulk sensitive data, such as recognizing patterns across multiple unrelated datasets and potentially de-anonymizing data. 

 

Executive Order 14117 restricts access when bulk sensitive data is considered an "unacceptable risk to the national security of the United States". The order defines sensitive data to include:

  • Personal identifiers
  • Geolocation and related sensor data
  • Biometric identifiers
  • Human 'omic data (data generated from humans that characterizes or quantifies human biological molecules or metabolic data)
  • Personal health data
  • Personal financial data
  • Any combination of the above

The order authorizes the Department of Justice (DOJ) to identify foreign governments that are countries of concern based on certain parameters. As of February 28, 2024, the DOJ specified the following countries as countries of concern:

  • China
  • Russia
  • Cuba
  • Iran
  • Venezuela
  • North Korea

The order also directs other federal departments and agencies to act, including promoting new rules and regulations, to curb the flow of "sensitive personal data" to countries of concern. The full text for Executive Order 14117 can be found here.

 

How does this affect employers?

Companies engaged in transactions that include bulk sensitive data or U.S. Government-related data, such as the sale or licensing of such data, can expect new regulations in the future.

 

Executive Order 14117 specifically highlights transactions that can provide unguarded access to Americans' bulk sensitive data such as data brokerages, third-party vendor agreements, employment agreements, and investment agreements. 

 

The DOJ in consultation with other government agencies will be identifying classes of prohibited data transactions, including:  

  • Data-brokerage transactions
  • Transactions involving the transfer of bulk human genomic data or human biospecimens from which human genomic data can be derived

The DOJ will also be considering three classes of restricted data transactions that may affect employers:

  • Vendor agreements (including technology services and cloud-service agreements)
  • Employment agreements
  • Investment agreements

What's next for employers?

This Executive Order is one of several recent regulations implemented as the Federal Government navigates proper precautions for using bulk data and AI safely. The October 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence is another example of this ongoing effort. Other details and new state-level regulations to safely guard sensitive data and specify guidelines for the safe use of AI are likely to follow.

 

Employers should review potentially affected agreements and transactions with their legal counsel, especially those related to technology services, cloud solutions, and the use or transfer of bulk sensitive data. Verified Credentials will continue to monitor the development of regulations designed to protect security and data and provide updates as they become available.

Utah Senate Bill 70: Consumer Reporting Amendments Explained

Utah joined the list of states in 2025 that have enacted legislation regulating what information can be reported to organizations requesting...

Read More

Texas Cracks Down on AI with the Responsible Artificial Intelligence Governance Act

The phrase, “don’t mess with Texas,” has taken on a whole new meaning. If you were considering using AI for business in Texas, you might want to hold...

Read More

Minnesota Consumer Data Privacy Act Now in Effect: Details Employers Need to Know

In 2024, we covered both Minnesota’s and Rhode Island’s Data Privacy Acts. While Rhode Island’s law will not go into effect until 2026, Minnesota’s...

Read More

Updates to New York’s Data Breach Notification Law Explained

In December 2024, New York Governor Kathy Hochul signed two bills amending the state’s current data breach notification law. Senate Bill S2659B and...

Read More

New Data Privacy Laws: What Employers Must Know

Consumer and data privacy laws have been popping up everywhere lately. Soon, nearly half the nation will have active consumer privacy data laws. It...

Read More

2024 Report on the Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA), which took effect in July 2023, is one of the nation’s pioneering consumer privacy laws. The CTDPA...

Read More