What Is Executive Order 14117—and Why Does It Matter for U.S. Enterprises?

In today's fast-moving digital economy, data flows across borders at the speed of light—and often with little oversight. But a new directive from the White House is signaling a major shift in how the U.S. government views the risks of cross-border data access and exploitation.

Executive Order 14117, signed in February 2024, marks a pivotal moment for data governance, national security, and enterprise risk management. If you're a U.S. organization that processes large volumes of sensitive data—especially biometric, health, financial, or geolocation data—you need to understand what this Executive Order means, and how it may affect your operations.

What Is Executive Order 14117?

Executive Order (EO) 14117, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” directs federal agencies to establish new safeguards that limit access to U.S. persons’ sensitive data by foreign adversaries.

In simple terms: the U.S. government is concerned that bulk personal data—especially when sold or transferred via data brokers, cloud services, or third-party vendors—could be exploited by foreign governments for malicious purposes, including surveillance, blackmail, or disinformation campaigns.

To counter this risk, EO 14117 tasks the U.S. Department of Justice (DOJ) and other federal bodies with drafting regulations that will:

• Restrict certain data transfers to “countries of concern”
• Regulate the sale of bulk sensitive personal data to foreign buyers
• Place new obligations on U.S. companies that handle data related to national security, defense, or critical infrastructure

Why It Matters to U.S. Enterprises

For U.S. businesses, this Executive Order is more than a national security directive—it’s a wake-up call about the risks of uncontrolled data sharing. That's why we created a new checklist in partnership with Baker McKenzie to help you understand your risks and take steps to address them. Download it now to learn more.

1. It Expands the Scope of Regulated Data

Unlike sector-specific rules like HIPAA or GLBA, EO 14117 casts a much wider net. It covers a broad range of sensitive data types including:

• Biometric data (e.g., facial recognition, fingerprints)
• Health and genetic data
• Precise geolocation data
• Financial and credit data
• Personal identifiers like Social Security numbers
• And even U.S. Government-related data held by contractors and vendors

If your organization collects or stores any of this information, you may come under scrutiny—especially if you work with international partners, offshore service providers, or cloud vendors with ties to foreign jurisdictions.

2. It Elevates Data as a National Security Asset

The Executive Order signals a new era in which data is no longer just a privacy or compliance issue—it’s a national security issue. That means future regulations could include:

• Mandatory vetting of foreign business partners
• Restrictions on cross-border data transfers
• Auditable recordkeeping requirements
• Enhanced breach reporting obligations

3. It Puts Pressure on Data Governance Programs

Organizations that don’t know where their data is, what it contains, or who can access it are at the greatest risk. In this context, weak data governance is a liability.

To get ahead of new rules, U.S. enterprises must build programs that:

• Automatically discover and classify sensitive data
• Map data flows across systems and geographies
• Enforce role-based access controls
• Enable defensible data minimization and deletion

Learn how Exterro Automated Data Mapping can help.

What Should Companies Do Now?

The DOJ’s proposed rules are expected later this year. But waiting to act is a risk in itself. Here’s how forward-looking organizations can prepare:

🔎 Audit your data landscape. Inventory what sensitive data you collect, where it resides, and who has access to it.

🌍 Review cross-border relationships. Examine contracts with international service providers, data processors, and cloud vendors—especially those in high-risk jurisdictions.

⚙️ Automate data governance. Manual processes won’t scale to meet the complexity or urgency of these new risks. Invest in integrated solutions that combine privacy, security, e-discovery, and incident response capabilities.

🛡️ Treat sensitive data as critical infrastructure. It’s time to elevate data protection to the same level of oversight as physical assets or supply chains.

The Bigger Picture: Proactive Data Risk Management

At Exterro, we believe EO 14117 is part of a broader shift: data risk is becoming strategic. Regulatory frameworks like GDPR and CCPA started the conversation. This Executive Order escalates it to a new level, where compliance, security, and geopolitical risk intersect.

Enterprises that succeed in this new environment will be those that treat data not just as an asset—but as a responsibility.

Let us help you take control of your data, reduce risk, and stay ahead of whatever comes next. Download our new Executive Order 14117 checklist today.