If you work with Bulk “Sensitive Personal Data” (biometric identifiers, human 'omic data, precise geolocation, personal health and financial data, and covered personal identifiers) or “U.S. Government-Related Data” (sensitive data linked to former federal employees or contractors, and geolocation data tied to sensitive government locations)… or if you’re not sure whether you work with Bulk Data and want to know more… READ THIS!
In alignment with Executive Order 14117 and the U.S. Department of Justice’s Final Rule (effective April 8, 2025), the University of Vermont is issuing this privacy matters to reinforce institutional safeguards against unauthorized access to covered data by foreign entities or individuals affiliated with countries of concern.
Failure to comply with the requirements of this rule could result in criminal, civil, and/or administrative penalties, loss of federal funding or UVM’s ability to enter into contracts and may result in significant reputational harm. To prevent violations, we must ensure that we adhere to the rules and regulations as it relates to the sharing of covered data with foreign entities or individuals from countries of concern.
What is covered data?
According to the rule, bulk sensitive personal data includes biometric identifiers, human genomic and 'omic data, precise geolocation, personal health and financial data, and covered personal identifiers (e.g., SSNs, passport numbers). The threshold for defining a dataset as “bulk” is determined separately for each data category. It also includes government-related data that is linked to former federal employees or contractors and geolocation data tied to sensitive government facilities. There is no threshold for bulk volume for government-related data.
Who are covered persons?
Under this rule, “Covered Persons” are entities or individuals:
Based in or operating from China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, or Venezuela
Employed by or majority-owned by entities in these countries
Designated by the U.S. Attorney General as a national security risk
What is considered a prohibited transaction?
If a member of UVM’s workforce (faculty, staff, researchers, contractors) licenses, transfers, or provides access to covered data to covered persons, engages in research collaborations or cloud services that could expose such data, or uses third-party vendors or platforms that do not meet federal cybersecurity standards, they have engaged in a prohibited transaction.
Should I worry?
Yes, but…
Currently, we are not aware of any transactions classified as Restricted Transactions under this regulation. However, if you are working with “bulk data” or partnering with “covered entities,” it is important to evaluate whether a data security framework is required. Should any Restricted Transactions arise in the future, you are required to establish a robust Data Security Program (DSP), including the following, before moving forward:
Meeting Cybersecurity and Infrastructure Security Agency (CISA) guidelines, such as implementing access restrictions, conducting risk assessments, and applying controls at the data level;
Maintaining a Data Compliance Program, which sets forth processes for risk-based evaluations and requires yearly certifications; and
Fulfilling audit and documentation obligations.
Any UVM faculty or staff member interested in pursuing Restricted Transactions must promptly contact UVM’s Information Security Officer to verify whether such activity is permissible.
What do I need to do?
To remain compliant with the regulations, start by examining your data use contracts and vendor partnerships. Consider whether you handle any data types governed by these rules—such as large-scale U.S. Sensitive Data or U.S. government-related information. Assess if you share this data with people or organizations based in, or owned by entities from, the Countries of Concern (Cuba, China, Hong Kong, Macau, Russia, Venezuela, Iran, and North Korea). For further assistance or clarification, reach out to UVM’s Research Security Program.
Where can I find more information?
The International Association of Privacy Professionals (IAPP) has created a cheat sheet that provides additional information.
UVM has developed “Internal Guidance on the DOJ Bulk Data Rule”. Go to UVM’s Research Data Management page and scroll down to the DOJ Bulk Data Rule section. From there, you can find the internal guidance.
If you have questions, please reach out to the Information Security Office at iso@uvm.edu, the Office of Compliance & Privacy Services at privacy@uvm.edu, or to Research Administration and Integrity at rai@uvm.edu.