Analyzing Executive Order 14117:  What companies might be affected and how might their business processes change

 

Executive Order 14117 will prohibit certain transactions that involve American companies sharing or selling sensitive personal data with “countries of concern”.  This order is designed to completely restrict the direct transfer of specific types of data and will have to restrict the downstream transfer of that data so that the information does not eventually wind up in the possession of the identified countries.  Though the rules have not been created at this time, this article anticipates which businesses may be affected and how they may be affected, both in terms of operation and in terms of enterprise value.  The third installment will focus solely on how businesses will manage their compliance with the Executive Order (“EO”).

Companies from multiple industries will be affected by the EO, but the biggest impact will likely be felt in the biotech space, and particularly with startups that need to save costs and increase cash flow.  The three categories of companies most likely to be affected are: 1) financial companies who collect information on clients and sell it to other companies for their marketing purposes, whether to sell their own financial services or in marketing goods or services; 2) applications with a reason to track movements and location data, or social media apps that must differentiate between the content produced and the metadata associated with the content; and 3) genomics companies, like 23andMe, that have compiled valuable raw genetic data and have built partnerships with biotech companies that produce much needed revenue and cash flow.

Each business will face external impacts and internal impacts on processes.  The external impacts will involve operations and cash flow.  The internal impacts will involve processes, such as compliance and data security.  The bottom line of the EO is that businesses may have far less money coming in, and will spend significantly more on internal expenditures.  There is a strong possibility that some biotech, particularly startup genomic companies, will have to change their revenue structure or face bankruptcy and failure.

The enterprise value of technology companies is strongly correlated to the amount of data it collects.  Whether this data is sold to third parties to create a revenue stream for the business, or analyzed and applied to create revenue for the business, data has been a top driver of economic value for technology companies.  Though these companies range in industries from genetic testing startups to social media platforms selling targeted advertising, the value of raw data that can be analyzed to drive revenue has been the most significant basis of the enterprise value of most tech companies.  This EO, because it targets data, necessarily targets the enterprise value of technology companies.  For an example, 23andMe deserves to be studied.  23andMe sells a genetic testing kit that, at a retail level, will disclose the ancestral locations of a person’s forbears through identifying genetic markers in the test taker’s DNA.  But their business model goes beyond ancestral reports.

A February 2024 CNN article on 23andMe provides a useful illustration of the enterprise risk the EO will be to biotech companies.  The article highlights that its share price has fallen around 96% (97.2% at the time of this writing) and that 23andMe could run out of money this year.  How did 23andMe become a valuable company, though?  In 2018, it reached an agreement with London-based GlaxoSmithKline (GSK) that eventually reached an investment value of $370 million for access to 23andMe’s genetic data, supplied by people seeking ancestry kits.  Pay $100 to learn your ancestry, and they sell the data for $370 million to a biotech company.  Though selling to an English company would not violate the EO, as the United Kingdom is not a “country of concern”, the principle remains that genetic companies derive value from selling access to data.  Thermo Fisher, an American company that also sells genetic testing kits, announced in January it would stop selling its genetic testing kits in areas of China that contain ethnic minorities, like Tibet, where the Chinese government is suspected of targeting the population.  This EO will close off potentially lucrative partnerships for American companies, particularly to those companies facing cash flow issues.  

The EO will have significant operational impacts on businesses as well.  These impacts can be separated into two categories: external impacts and internal impacts.  The external impacts follow the paragraph above.  Partnerships will have to be cleared to make sure that countries of concern do not directly, or indirectly, receive sensitive personal data from American companies.  An American genetic testing company could reach a partnership agreement with a British biotech company, but that company will not be able to share that data with a Russian biotech company.  This will certainly decrease the number of partnership opportunities available, and likely lower the value of permissible partnerships to the data holding company by giving more negotiating power to the buyers, and may adversely impact cash flow and funding efforts.

Internally, however, companies will see their expenses increase.  The EO suggests a compliance framework will be created by NIST, which will combine NIST’s cybersecurity frameworks and privacy framework.  Companies will pay more to track the flow of data, to always know its precise locations, and particularly after the data is permissibly shared.  Companies will need to build internal processes around data maintenance and data tracking at movement to make sure that both the company and its partners are complying with the EO. 

Furthermore, because adversarial nations will no longer have lawful access to American testing information, one can expect efforts to hack the data to become even more frequent.  In January, 23andMe was sued because hackers were able to access and steal genetic information about test takers with Ashkenazi Jewish heritage.  Not only will companies that possess sensitive personal data become more frequent targets of hacking activity, but their processes will also have to be recorded to show compliance with the EO and alignment with the new NIST framework. 

In the end, this EO will produce a significant financial inversion.  Cash flows from partnerships will likely decrease while expenses to comply with the order will increase.  If hackers are successful, then an adversarial nation that once could have provided a financial benefit will still wind up with the data, and the company will face serious lawsuits.  Put differently, while the reduced cash flow would suggest to companies that they should curb expenses, the companies will have to spend considerably more to do all they can to ensure that foreign hackers from countries of concern do not wind up stealing the information and landing the company in lawsuits.

The third and final article in this series will be a more in-depth discussion of how the compliance regime will likely develop.  As for now, American companies that hold sensitive personal data should start to examine their operational procedures to compare to the likely shape of the EO, because just like their genetic testing, the EO is attempting to create a different world in which they will try to survive.