This blog post is the latest installment in a series focused on the DOJ’s Bulk Sensitive Data Rule, and is intended to help stakeholders navigate the complex rule’s requirements and move toward full compliance.
Epstein Becker Green’s previous blog post on this topic encouraged U.S. organizations across all industries with cross-border operations – including health care/life sciences, finance, e-commerce, and research – to “know their data.” In this post, we discuss why it is critical for these organizations to also “know their vendors.” We discuss how the BSD Rule imposes new requirements on U.S.-based companies to monitor and scrutinize vendor engagements beyond those with the six designated countries of concern.
As Epstein Becker & Green, P.C. previously reported, the National Security Division of the U.S. Department of Justice (“DOJ”) issued a final rule, effective on April 8, 2025, called the Bulk Sensitive Data Rule (“BSD Rule”) (codified at 28 C.F.R. Part 202), which prohibits and/or restricts U.S. persons and/or companies from engaging in certain transactions involving certain categories of government-related data and sensitive personal data with covered persons or six countries of concern– China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”). New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.
Scope and Exemptions
SB 332 imposes obligations on “controllers” – entities or individuals that determine the purpose and means of processing personal data – that ...
Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.
Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?
Our colleague at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”
Following is an excerpt:
The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space ...
Our colleague at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers in the health care industry: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare."
Following is an excerpt:
The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health ...
Blog Editors
Recent Updates
- Health Care Without the Hospital: ChatGPT Health and Claude Go Direct to Consumers
- The HTI-5 Proposed Rules: ASTP/ONC’s Cleanup and the Hard Work that Lies Ahead
- Just Released: Telemental Health Laws – Download Our Complimentary Survey and App
- OIG Limits Sign-On Bonuses to In-Home Family Caregivers
- Governing Health AI Development and Adoption: Insights from HHS’s Recently Announced Strategy to Promote AI in Healthcare