Assistant Attorney General Matthew G. Olsen Delivers Keynote Speech at the American Bar Association’s 39th National Institute on White Collar Crime

Good morning. Thank you for being here. I am pleased to follow my colleague Nicole Argentieri, who leads the Criminal Division. The ABA White Collar Conference is, of course, familiar territory for them. This is notably the second year in a row that I’ve been here to represent the National Security Division (NSD).

The reason for that reflects an enduring shift in the national security landscape. When NSD was created in the aftermath of the 9/11 attacks, its mission and caseload was dominated by the threat of international terrorism. We, of course, remain laser focused on the threat of terrorism against the United States today. But NSD’s work also is evolving to respond to the dynamic threats the United States faces from capable nation-state adversaries. Countries like China, Russia, Iran, and North Korea engage in aggressive and sophisticated efforts, both inside our borders and abroad, to undermine the security, economic interests, and democratic institutions of the United States and our allies.

To combat these threats, we have sharpened our focus and increased capacity when it comes to enforcement of sanctions and export controls; disrupting malicious cyber activity and foreign malign influence; and reviewing the risks of foreign investment in U.S. companies — especially those that are developing sensitive technology and hold vast U.S. data.

When it comes to that last threat in particular, the Department of Justice is taking on an important new mission.

Last week, the President signed a groundbreaking Executive Order that gives the Justice Department the authority to block countries that pose a threat to our national security from harvesting Americans’ most sensitive personal data. At the National Security Division, we will be building a data security protection and enforcement program from the ground up to carry out this responsibility.

I want to talk in more detail about all of this work in the next few minutes. But here is a key point: our efforts in the National Security Division now interact with corporations and the business community like never before.

Corporations are on the front lines when it comes to enforcing critical national security tools, like sanctions and export controls. Companies — your clients, for many people in this room — make business decisions every day that have serious consequences for our national security. That means it is our job to ensure the right incentives are in place for companies to make choices that keep Americans safe.

The stakes here are high. Our enforcement tools cut off Iran’s access to the financial markets and technologies it needs to support its weapons systems and brazen aggression. They prevent China from stealing cutting-edge technology that enables their military advances and human rights abuses. They block North Korea from funding its nuclear ambitions. And our efforts impose costs on Russia for its invasion of Ukraine.

That is why the National Security Division takes corporate enforcement so seriously. And it is why, when corporations and their executives break laws that protect national security, we do not hesitate to use the full range of our authorities to hold them accountable.

Let me start with what we are doing on the enforcement front. We’ve more than doubled the number of prosecutors working on violations of sanctions, export control, and foreign agent laws. We’ve brought on two veteran prosecutors to serve as the division’s first ever chief and deputy chief counsel for corporate enforcement.

And we are seeing the results. In recent years, we’ve secured the first-ever guilty plea by a corporation for material support to terrorism. That case resulted in a $778 million penalty and makes clear that NSD will not hesitate to hold corporations responsible if they make payments to designated terrorist organizations in furtherance of market share and profits.

We also obtained a guilty plea from the subsidiary of a British tobacco company for violating sanctions against North Korea along with a $629 million penalty — the largest ever criminal penalty for a violation of sanctions on North Korea.

Just a few months ago, together with our partners in the Criminal Division, we secured a guilty plea by Binance, the world’s largest cryptocurrency exchange, for violating Iranian sanctions. That case involved a $4.3 billion financial penalty — one of the largest criminal penalties in history — as well as a guilty plea by the company’s founder and then-CEO who is currently awaiting sentencing.

For NSD, finding and prosecuting corporate and individual wrongdoers is a core responsibility. But our relationship with the business community extends well beyond criminal investigations. We want companies to prevent people from evading sanctions and export controls in the first place.

We rely on financial institutions and technology companies to be gatekeepers and to build strong compliance programs to prevent, detect, and report violations. Our private sector engagement and revamped voluntary disclosure policies encourage compliance and drive corporate responsibility.

That approach is paying off. Just last week two major, multinational companies came to NSD to report significant violations they have discovered. They had already shared the information through regulatory channels but recognized that also enabling law enforcement action could be important to national security. That kind of outreach reflects companies having internalized our warnings and illustrates how strong voluntary disclosure policies drive corporate responsibility and protect national security in concrete ways.

At the end of the day, every dimension of our relationship with corporations and the private sector has one goal: to advance our national security mission.

Today, we are drawing on that experience as we counter a new threat and work to stem the flow of American’s sensitive data to our adversaries.

Our intelligence community has made clear that “our adversaries increasingly view data as a strategic resource.” Countries like Russia and China seek to obtain sensitive personal data of Americans — things like geolocation, financial, or health information — by purchasing it through data brokers or by accessing it through strategic investments and commercial relationships. Here, once again, corporations are on the front lines.

At the National Security Division, we have already invested heavily in the effort to prevent, disrupt, and punish the exfiltration of sensitive data from U.S. victims for espionage and other nefarious purposes.

Last year, we created a new National Security Cyber Section. Its mission includes working to disrupt and respond to brazen attempts by our foreign adversaries to use cyber to steal sensitive data. And our Counterintelligence and Export Control Section (CES) prosecutes economic espionage and insider threat cases, for example where foreign adversaries recruit employees from within companies to seal sensitive technology and intellectual property.

Finally, our Foreign Investment Review Section (FIRS) seeks to prevent data security risks before they materialize through our role on the Committee on Foreign Investment in the United States and as the chair of Team Telecom.

Yet even as we work to close back door attempts to illegally acquire Americans’ sensitive data, the front door has been wide open. In fact, no federal law prohibited our foreign adversaries and their proxies from buying bulk personal data directly on the open market or through the shadowy world of data brokers.

Now, we’re locking the front door. In signing the Executive Order, President Biden noted it was “the most significant action any President has ever taken to protect Americans’ data.” Soon, it will no longer be legal to sell some of the most sensitive data to our foreign adversaries or share it without safeguards with vendors, employees, and investors located in those countries.

This Executive Order protects seven categories of Americans’ sensitive data that are at greatest risk. This includes genomic and personal health data, but it also includes geolocation information and personal identifiers, such as your social security numbers or driver’s license number, and bulk personal financial data.

We already know what our sophisticated adversaries can do with this data. They can use information about an individual’s debt, creditworthiness, and financial pressures to find points of leverage for coercion, blackmail, and influence. They can use geolocation data to identify U.S. Government sources based on travel patterns and meeting activities. They can use personally identifiable information to identify dissidents and defectors living under new identities.

And the national security risks posed by allowing this bulk data to fall into the wrong hands will only increase with the explosive growth of artificial intelligence.

For far too long, we have seen that adversaries haven’t even needed to resort to illicit means and instead exploit ready access to bulk sensitive data by purchasing it or through commercial relationships. Now, the Department of Justice will do our part to make it harder for foreign adversaries to get their hands on this type of information.

We are moving fast. One week in, I’ll note three developments.

First, minutes after the President signed his Executive Order, I signed a 90-page Advance Notice of Proposed Rulemaking, or ANPRM, that kicks off the rulemaking process and seeks public comments to help us refine the program. The ANPRM describes our proposed approach, but we will have multiple rounds to engage with the relevant stakeholders and ensure we’re getting it right.

Second, we are crafting a strategy for enforcement and compliance of this program. Just as we’ve done with sanctions and export controls, that strategy will have real teeth. These regulations will be backed by the full suite of civil and criminal authorities under the International Emergency Economic Powers Act. That includes investigatory authorities and subpoena authority.

Companies that know or should know they engaged in a prohibited transaction may face civil penalties. And, at the most egregious end of the spectrum, when companies willfully and deliberately violate these rules, we will consider more significant and stringent criminal enforcement.

Countries of concern looking to exploit these carefully targeted rules to circumvent the law, should think again. We will be relentless in pursuing adversaries and those working on their behalf who try to evade the law by using shell companies, middlemen, proxies, and cut-outs.

Our strategy will, of course, focus on voluntary compliance, and will provide companies with guidance and advisory opinions to ensure companies take the necessary precautions.

Third, we are ramping up our staffing and resources significantly. This regulatory program will require us to bring on dozens of new attorneys and non-attorneys with expertise in general and specific licensing, targeting and designations, guidance and advisory opinions, and policy and regulatory development.

We will also be substantially increasing FIRS’s Compliance and Enforcement Unit to ensure we have the capacity to use our administrative and civil authorities to protect Americans’ data pursuant to the Executive Order. And, where appropriate, our prosecutors at CES stand ready to bring criminal charges where the facts support it. We’ve also appointed a new Deputy Chief for National Security Data Risks. And we will continue to expand the structure of this program over time to fulfill our critical responsibilities.

So that is a snapshot of our plan over the next year to carry out the responsibility that the President has given to the Justice Department. Now let me shift the focus to what companies should be doing. I say this recognizing I’m here with prominent white-collar lawyers and in-house counsel, including those advising large, sophisticated, multi-national companies rich with data. Here is our advice to those companies:

• Know your data. It is worth the investment to understand fully what categories of data you transact in and how much — and whether you have appropriate safeguards in place to ensure that sensitive information cannot be misused.
• Know where that data is going: You should review existing agreements to sell or provide your data to others — including advertisers, marketers, and vendors — and update those agreements now to ensure you have sufficient confidence in where that data is going.
• Know who has access to the data: The proposed rules would apply to certain transfers of data to non-U.S. consultants and investors who are based in countries of concern, including China, Russia, and Iran. That means you need to understand what data you are making available and to consider the implications.
• Know your data sales: Consider any transactions you have involving the sale of data, and consider whether you have confidence in the business practices of any third-party data brokers you deal with, directly or indirectly.

The answers here are not one-size-fits-all. As in the sanctions and export control regime, companies will need to develop risk-based compliance programs tailored to their individualized risk profiles. What’s right for one company may not be appropriate for another. Compliance programs will vary based on company size and sophistication, its products and services, its customer base, and where it does business.

If you start asking these questions now, you will be in a much better position when the rule takes effect next year. Fundamentally, knowing the answers isn’t just about the profound privacy implications, but also our national security in ensuring U.S. sensitive data does not fall into dangerous hands.