Green Leaf Consulting Group
Get Started
Articles

Data in the Evolving World of Life Sciences: Part 3

By: Ed Ferrara

ComplianceRegulation, and National Security 

In my past two blogs, I wrote about the role of data in life sciences, first, through the lens of research and development and medical affairs, and then through the principles of quality and compliance in manufacturing.  This next frontier takes that discussion one step further. Today, compliance and regulation in life sciences extend beyond clinical and manufacturing oversight, they now intersect with national security. As data volumes grow and global collaboration increases, protecting sensitive health and research information has become not only a matter of privacy and ethics, but of geopolitical importance.  

Historically, life science organizations only needed to worry about the United States Food and Drug Administration (FDA), the European Medicines Agency, and other countries’ pharmaceutical regulatory agencies. 

In general, Life Science companies operated outside the scope of US national security regulations and exemptions from US Privacy laws. The United States has recognized that certain countries maintain an adversarial stance towards it.  

Protecting Americans’ Sensitive Data from Foreign Adversaries

On February 28, 2024, President Joe Biden signed an executive order expanding the scope of Executive Order 13873 (May 15, 2019) and Executive Order 14034 (June 9, 2021) – Protecting Americans’ Sensitive Data from Foreign Adversaries. President Biden issued this order in response to certain countries attempting to steal various types of sensitive bulk personal data of different kinds of sensitive personal data. From the administration’s perspective, this appropriation of this information constituted an unusual and extraordinary threat, originating in whole or in substantial part outside the United States, to the national security and foreign policy of the United States. Access to Americans bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. Countries of concern could use advanced technology (e.g., Artificial intelligence) to analyze and manipulate bulk sensitive personal data to engage in espionage, influence kinetic or cyber operations, and identify strategic advantages over the United States.[1] 

Building on the Biden Era Executive Order

In April 2025, the US Department of Justice’s (DOJ) Final Rule on Restricting Transfers of Bulk Sensitive Personal Data took effect, marking a watershed moment for national security and biomedical research. Codified at 28 C.F.R. Part 202, the rule implements President Biden’s Executive Order 14117, which prohibits or restricts US persons from providing bulk sensitive personal data—or any government-related data—to countries of concern or entities under their control. [1] 

On April 8, 2025, the Trump administration finalized an executive order expanding the Biden administration’s language and specifically targeting the life sciences industry.[2] 

The implications of this rule are significant for the life science industry. Life science companies and their medications frequently rely on human genomic, clinical, and biomarker data. The rule’s reach extends beyond espionage prevention; it rethinks how biotech, pharma, and digital-health companies handle cross-border data, manage vendors, and design research collaborations.  

A New National-Security Frontier in Data

The United States Department of Justice calls foreign exploitation of Americans’ health and genomic data an unusual and extraordinary threat.”  

The new rule closes a significant gap in US national security  authorities: until now, foreign adversaries could buy or license US data through commercial IT. In Deputy Attorney General Todd Blanche’s words, “Why hack it when you can buy it?” 

The rule formally designates countries, including:  

  • China (including Hong Kong and Macau) 
  • Cuba 
  • Iran 
  • North Korea 
  • Russia 
  • Venezuela 

These countries are designated explicitly as of concern because they demonstrate the intent and capacity to use such data for surveillance, coercion, or military advantage. [3] 

What is “Bulk Sensitive Personal Data”?

Bulk United States sensitive personal data is any collection or set of sensitive personal data related to US persons, encompassing all formats. For life-science organizations, bulk means more than volume—it defines the regulatory threshold for restriction. Under the Final Rule, any dataset—anonymized, pseudonymized, or encrypted—can trigger compliance duties if it meets or exceeds these limits in 12 months.  

This information includes anonymized, pseudonymized, de-identified, or encrypted data, that meets or exceeds the thresholds outlined in the new regulations. Any combination of these types that meets the lowest threshold also qualifies as bulk. That means even a modest-sized clinical trial can fall squarely within the rule. See Figures 1, 2, and 3 below. 

Key Aspects

Life Science companies must evaluate how they handle bulk sensitive personal data and ensure that any commercial uses of this information do not include the sale to the DOJ’s listed countries of concern.   

Table 1 – Key Aspects of Bulk Data Classification 

Aspect  Definition 
Regulatory Threshold  The definition emphasizes that “bulk” is not just about the volume of data; it serves as a regulatory threshold. Compliance obligations are triggered if a dataset exceeds the minimum specified amounts over a 12-month period. 
Applicability to Life-Sciences Organizations   Even relatively small datasets—such as those from modest clinical trials—can fall under this rule for organizations in the life sciences sector. Any combination of sensitive data types, even if individually below the threshold, can collectively qualify as bulk data if they reach the minimum threshold. 
Compliance Duties   Organizations must meet various compliance requirements once a dataset meets the bulk-sensitive personal data criteria, including enhanced data protection measures and reporting obligations. 

Implications

To ensure compliance, Life Science companies must assess their business models regarding the information covered by the new rule. 

Table 2 – Implications for Life Science Organizations 

Implication  Action Required 
Data Management Strategies   Organizations need robust data management and governance strategies to monitor data collections and ensure compliance with these regulations. 
Risk Assessment   Even datasets that may seem minor or manageable can have regulatory implications, prompting organizations to conduct thorough risk assessments and ensure protocols are in place. 
Training and Awareness  Life Science companies should train staff across relevant departments to understand the implications of the Final Rule and the thresholds for bulk-sensitive personal data, to minimize compliance risks. 

Covered Data Transactions

There are two types of government-related data. The first is any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in the original Biden executive order. The second type of government-related data is any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or retired senior officials, of the United States Government, including the military and Intelligence Community. These provisions also include “recent former employees” or “recent former contractors” – employees or contractors who worked for or provided services to the United States government, in a paid or unpaid status, within the past two years of a potential covered data transaction with a country of concern or covered person. 

Table 3 – 2025 Data Rule Classifications 

Category   Threshold  

(Number of U.S. Persons)  

  Examples  
Human genomic data   100  Whole-genome or exome sequences  
Other “omic” data  

  • proteomic1 
  • transcriptomic2 
  • epigenomic3 
 1,000  Multi-omics 

proteomics 

RNA datasets  
Biometric identifiers   1,000  Facial, voice, retinal, or fingerprint data  
Personal health data   10,000   Clinical, EHR, or claims datasets  
Personal financial data   10,000   Payment or billing records  
Personal identifiers   100,000   Contact, SSN, or device identifiers  
Biometric identifiers   1,000   Facial, voice, retinal, or fingerprint data  
Personal health data  10,000   Clinical, Electronic Health Records (EHR), or medical claims datasets  
Personal financial data   10,000  Payment or billing records  
Personal identifiers   100,000  Contact, SSN, or device identifiers  

Key Prohibitions and Restrictions [4]

The DOJ separates “covered data transactions” into prohibited, restricted, and exempt categories. 

Prohibited transactions include: 

  • Data brokerage—the sale, licensing, or commercial transfer of bulk data to a covered person or country of concern. 
  • Any transaction giving such entities access to bulk human omic or biospecimen data. 
  • Restricted transactions include vendor, employment, or investment agreements with covered persons or countries of concern. These may proceed only if the US party adopts the Cybersecurity and Infrastructure Security Agency (CISA) security requirements and maintains a DOJ-compliant Data Compliance Program with annual audits and officer certification. 

Necessary Exemptions [4]

The new rule provides for some exempt transactions to protect legitimate scientific and regulatory activity: 

  • FDA-regulated clinical investigations and post-marketing surveillance using de-identified or pseudonymized data. 
  • Submissions required by the FDA or foreign health authorities. 
  • Federally funded research, telecommunications, financial services, and official US government business. 

From Privacy to National Security

There is growing awareness among many governments worldwide that adversaries can weaponize various types of personal information. Unlike HIPAA or GDPR, which hinge on individual privacy and consent, the new DOJ rule is built on national-security risk, applying all information and events to de-identified data. The DOJ’s National Security Division (NSD) explicitly likens the regime to export controls on data, placing it alongside sanctions administered by OFAC. US persons must “know their data”—to inventory what they hold, where it flows, and who ultimately accesses it. 

Data protection and national security fusion reflects a global trend: information is now a strategic resource. For life sciences, where genomic data is the new oil, the rule underscores that data sovereignty is security sovereignty. [5] 

Impact on Life-Science Companies

In my first blog, I explained that intangible assets dominate the balance sheets of most modern companies. Other authors have noted “Data is the new oil” [6] [7]. Few industries rely more heavily on cross-border data sharing than biotechnology and healthcare. Clinical trials, genomic sequencing, contract research, and post-marketing surveillance all involve global data flows. 

Yet these very strengths—data intensity and international collaboration—create exposure under the new rule. The rule’s breadth, departure from existing privacy-focused laws, and significant civil and criminal penalties mean life-science companies must now evaluate how to minimize risk in prohibited and restricted transactions  

For many of Green Leaf’s life sciences clients, these shifts have prompted a reassessment of how data is stored, shared, and governed. Cloud strategy, vendor selection, and data classification polices now carry implications that reach beyond compliance.  

Violations 

Like other regulations with criminal liability, violating the new rule is a serious issue. Violations carry civil penalties up to $368,000 or twice the transaction value, and criminal penalties of $1 million and 20 years’ imprisonment for willful acts. 

Life Science’s Plan for Action [4]

Life Science companies that generate and use bulk “omic” information must: 

  • Establish a Data Compliance Program – A written, risk-based program identifying data types, transaction parties, and data-flow maps; certified annually by a senior officer. 
  • Conduct independent audits – Annual audits verifying adherence to CISA security controls and compliance procedures. 
  • Maintain records for ten years – Covering transaction details, licenses, advisory opinions, and audit results. 
  • Report certain events – Including rejected prohibited transactions and suspected onward transfers to countries of concern. 
  • Develop an Action Plan that includes: 
    • Map global data flows 
    • Screen counterparties 
    • Amend contracts 
    • Leverage exemptions 
    • Integrate security frameworks 
    • Educate leadership 

Conclusion

As noted in my prior posts, the life science sector is experiencing a data revolution. From drug development to regulatory approval and manufacturing, Data analytics and AI are unlocking insights across genomics, clinical trials, and precision medicine.  

However, with innovation comes exposure: the same datasets that enable breakthroughs can also reveal national vulnerabilities if exploited by adversaries. 

The DOJ’s Data Security Program signals that data protection is now a matter of national defense, not merely corporate compliance. For life-science companies, aligning discovery with defense isn’t optional—it’s the new operating reality. 

The 2025 DOJ Data Rule marks the first comprehensive US attempt to treat personal and biomedical data as a strategic asset. Life. science organizations that proactively build compliant, risk-based data security programs will not only avoid penalties—they will also earn trust as stewards of America’s genomic and health data future. 

Green Leaf Consulting Group is well-positioned to assist Life Science companies in understanding the risks. The experts at Green Leaf can design and implement a compliance action plan for the new rule, providing data flow analysis, mapping information supply chain analysis, contract review, and modification of information security frameworks (policies and procedures). They can also educate leaders and managers on the implications of these changes and how to address them. 

 

References 

  1. Biden, J.R.,Executive Order 14117 of February 28, 2024, T.W. House, Editor. 2024, US Federal Register,Washington, DC. 
  2. Pierce, J.C., et al.,Life Sciences Companies Must Navigate the DOJ Data Rule, inGoodwin – Alerts. 2025, Goodwin  LLP: Boston, MA. 
  3. Division, N.S.,Data Security Program: Compliance Guide, U.S.D.o. Justice, Editor. 2025, United States Department of Justice – National Security Division: Washington, DC.
  4. Section, N.S.D.F.I.R.,National Security Division Data Security Program Compliance Guide – 04112025, U.S.D.o. Justice, Editor. 2025, United States Department of Justice: Washington, DC.
  5. Egan, M., et al.,TheDOJ’s Bulk Sensitive Personal Data Rule’s Imminent Relevance to Life Sciences Companies, in Cooley Alert. 2025, Cooley LLP: Palo Alto, CA. 
  6. Bhageshpur, K.,Data Is The New Oil — AndThat’s A Good Thing, in Forbes Technology Council. 2019, Forbes. 
  7. Technology, O.I.,The DOJ Big Data Act: What Insurers Need to Know. 2025, OIP Insurance Technology: Henderson, NV.
Strategic Advisor
Edward Ferrara is a seasoned technology executive with over 15 years of experience helping organizations transform their IT capabilities into engines of growth and innovation. Based in West Chester, PA, and working in both remote and hybrid executive roles, he serves as an Interim CIO, CIO/CISO advisor, and trusted partner to boards and leadership teams seeking to future-proof operations, harness data, and adopt next-generation technologies.

More like this