Data transfer restrictions

Mitigation strategy

- Establish and implement a comprehensive, risk-based Data Compliance Program (DCP) by conducting thorough due diligence on all data flows, vendor agreements, and employment contracts to accurately identify and classify transactions involving bulk sensitive U.S. personal data or government-related data with covered persons or countries of concern. - Implement the CISA-mandated robust data security requirements for all restricted transactions, prioritizing the hardening of access controls (e.g., multi-factor authentication) and system configurations to restrict access to covered data by foreign entities in countries of concern, and remediate known exploited vulnerabilities within the specified timeframe. - Mandate explicit contractual provisions with all non-U.S. entities to strictly prohibit the subsequent transfer of covered data to countries of concern or covered persons, while simultaneously utilizing approved legal transfer mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), for all international personal data transfers.