Tag Archives: Assaf Ariely

DOJ Issues Final Rule Targeting Foreign Access to Americans’ Sensitive Data

by Michael T. Borgia and Assaf Ariely

Photos of Author

Michael T. Borgia and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

The U.S. Department of Justice (DOJ) has issued a comprehensive final rule (the “Rule”) targeting foreign access to sensitive U.S. data, including Americans’ “bulk” sensitive personal data.

The Rule, which DOJ announced on December 27, 2024, prohibits and restricts U.S. persons from entering into certain transactions involving access by “countries of concern” and “covered persons” to “bulk U.S. sensitive personal data” and “government-related data” by “countries of concern” and “covered persons.” “U.S. persons” subject to the Rule are defined broadly to include any U.S. citizen, national, or lawful person, any entity organized under the laws of the United States or any U.S. jurisdiction, and any person physically within the United States.

Continue reading

Commerce Department Proposes Cybersecurity/AI Reporting and “KYC” Requirements for Certain Cloud Providers

by Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely

Photos of authors

Left to right: Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

IaaS providers would need to verify foreign users’ identities (aka “know your customer”) and report certain AI model training activities under the proposed rules

The U.S. Department of Commerce’s (“Commerce”) Bureau of Industry and Security (“BIS”) has issued a proposed rule (the “Proposed Rule”) that would impose significant diligence, reporting, and recordkeeping requirements on U.S. providers of Infrastructure as a Service (IaaS) and their foreign resellers. IaaS is generally considered to be a cloud computing model that provides users with remote access to servers, storage, networking, and virtualization.

The Proposed Rule would require U.S. IaaS providers to:

  • Implement and maintain a “Customer Identification Program” (CIP), which must include detailed know-your-customer (KYC) procedures for identifying and reporting foreign customers to Commerce; and
  • Report transactions involving foreign persons that “could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.”

Continue reading