top of page
Search

Why EO14117?  Data protection is at the center of risk and regulation

Updated: Mar 18


The recently implemented EO14117 is yet another set of rules that brings more requirements to data protection.  With so much regulation in motion, what can organizations do?

While it’s quite common to discuss the chaos and uncertainty of cyber risks, those adjectives aren’t typically used to describe cyber regulation. Regulators are traditionally too deliberate and slow to act, and when they do issue guidance, it doesn’t always easily translate into practical technical guidance, especially for security practitioners.

What does all the uncertainty mean for data protection?  We’ll continue the discussion from our last blog, as organizations work to build new best practices that will stand up to whatever shows up next on the threat, or regulatory, radar.





Data protection has driven an emergence of convergence

This isn’t to say that compliance rules haven’t ever been meaningful. But if you mapped security versus compliance inside a Venn diagram, it’s taken a long time for meaningful overlap to appear. But, over the last few years, the convergence of compliance and cybersecurity risk has accelerated, largely due to an intense focus on data protection.

  • Data, from payments to protected health information, is increasingly essential to modern business.

  • Unfortunately, an asset can’t be locked up in a vault—its value comes through use, and attackers know this.

  • That leads to the modern stalemate, in which businesses try to use and move data while attackers try to steal it.


This last point is mostly what cybersecurity and compliance is about: protecting information as both an asset and an attack surface.


While attackers are universally relentless in pursuing protected data, their motivations are more diverse. Criminal attackers are looking for economic gain, corporate invaders are after IP or data yielding a competitive edge, and hostile nation-states want all of it. AI only raises the stakes.


Regulations, and uncertainty. are both scaling

Since the passage of HIPAA in 1996, regulators have focused on protecting data, especially personal or sensitive data. Since then, however, it’s mostly been a game of catch-up as regulators try to keep pace with attackers and unscrupulous or inattentive businesses, penalizing them for lapses in both compliance and security.


We’ve seen industry-specific frameworks like PCI and HIPAA, multinational rules like GDPR, and even separate guidance for K-12 and higher education (COPPA and FERPA).  While the PCI framework was always very operational in focus, HIPAA has only recently included the same kind of control specifics via the 2025 Security Rule update.


Data has also become a part of larger risk and cybersecurity frameworks, from NIST standards to SOC/SSAE.  The NIST framework, in particular, has become much more sophisticated regarding data, even if Zero Trust guidance hasn’t yet formally come to the data layer. Even the SEC is in on the game, with data protection now part of mandatory disclosure rules.


Finally, we get federal interventions like EO 14117, which was written to govern sensitive data sharing with restricted countries and individuals. This rule, which was written in 2024 but will be implemented in 2025, is focused on governing bulk data sharing between American companies and parties in China, Russia, North Korea, Cuba, Venezuela, and Iran.


The rules remind us that sensitive information, especially inside unstructured data, can appear in processes not traditionally associated with data sharing. Investment documents, employment arrangements, partnership agreements—depending on who finds it first, it can be either an opportunity or a liability. EO 14117 was written to protect it from bad criminal actors and their nation-states.


An AI governance gap, at exactly the wrong time

If AI is all about data, we should see that reflected in regulatory priorities.  But while companies and industry groups press on towards standards, we’ve seen the federal government shift priorities. The new administration not only rescinded Biden’s order on safety and security but the title of its new EO, “Protecting the Competitiveness of American AI” makes the focus clear.

But even if the White House isn’t interested in promoting security guidance, other regulators are. While many doubt the EU AI Act can be effectively enforced, it has become a de facto internal standard for many organizations. Predictably, some US states are pursuing their own goals.


It all adds up to pressure

The rise of AI and the uneven governance are creating even more pressure on data protection. While security and compliance guidance are increasingly in sync, they struggle to understand obligations, design defenses, and demonstrate these controls. Because if governance AI or anything isn’t clear, the cost of non-compliance is.

  • Organizations that get data protection wrong can end up in the headlines, like the infamous Colonial Pipeline shutdown of 2023, when operational and billing data breaches brought the business to a halt and cost them

  • You don’t have to make the evening news to end up still paying hefty fines to federal regulators, as healthcare businesses are finding out under the OCR rule

  • You don’t even need regulators to be penalized for compliance and security lapses.  The intense focus on third-party risk management means new obligations and expectations are now being built into your business agreements.  A failure to comply here means loss of potential business.


And the need to focus on the fundamentals

Whether it’s updates to the HIPAA Security Rule, the strict new rules of the upcoming PCI DSS 4.0, or more executive guidance similar to EO 14117, compliance and security baselines are both rising.  A lot of matters that were formerly addressable or subject to reasonable best standards are now being prescriptively handled:

  • Risk-based thinking about everything from supply chains to security solution choice is now seen as fundamental 

  • Robust multifactor Authentication as well as role-based access management are now mandatory

  • The frequency in cadence of compliance and security obligations, from vulnerability scanning to strategic risk planning, has dramatically increased


Diving deep on data best practices

Beyond these big-picture changes, the rules around data and encryption are getting tougher.  Data encryption at rest, for instance, is now a requirement under HIPAA and EO 14117.  So is a risk-driven strategy for prioritizing controls.

Build for Visibility

You can’t secure what you can’t see. Evaluate your current data scanning and protection platforms, looking for gaps and overlaps that create dangerous blind spots or add unnecessary complexity to the enterprise's protection.

  • Look for platforms that can help you scan across both on-prem and cloud environments

  • Ensure you can see across and inside unstructured data, which often makes up 90% of your total data inventory

Strategize beyond the enterprise

Traditional data protection and DSPM platforms are primarily focused on securing data inside the constraints of a mostly-managed enterprise environment. DLP can’t just be about preventing files from leaving the environment—those capabilities should persist.

  • Look for alternative strategies, including selective encryption, that let you secure data, not just files, beyond the reach of your cloud or on-prem networks

  • Maintain that same critical visibility into data access and activity

Re-engage with zero-trust thinking

Zero Trust is almost twenty years old as a paradigm, but its adoption is still largely uneven.  Beyond the traditional focus on network segmentation and engineering for least privileged access, how can Zero-Trust ideas better protect data?

  • Can selective encryption of fields strike a balance between document security and information shareability?

  • Can that encryption be used to drive more proactive, dynamic control of data (and who accesses 


Regulations are uncertain, but risk is forever

Getting a handle on data protection unlocks so much else around what you need to accomplish, whether you’re worried about compliance or safety.  Confidencial and Confidencial Cloud Protector are ready to help you face what’s next with confidence. Ready take the next step?


 
 
 

Comments

bottom of page