On September 24, 2019, the U.S. Department of the Treasury (“Treasury”) proposed regulations to expand considerably the scope of transactions subject to review by the Committee on Foreign Investment in the United States (“CFIUS”), to now include certain transactions in the insurance industry, where “sensitive personal data” could become accessible to a foreign person. Failure to file a voluntary declaration with CFIUS under the new regulations may result in a fine “not to exceed $250,000 or the value of the transaction, whichever is greater.” 31 C.F.R. § 800.901 (b).
The September 24, 2019 regulations, which became effective following the lapse of a shorter than normal comment period on October 24, 2019, most notably extend CFIUS review to non-passive investments in Technology, Infrastructure, and Data (“TID”) U.S. businesses, whether the investment involves a control relationship or not. The regulations replace the existing CFIUS regulations at 31 C.F.R. Part 800 in their entirety.
These new regulations should be of particular interest to U.S. businesses in the insurance industry. The reason is that the regulations’ use of the term “sensitive personal data” applies with particular force to:
the set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance.
31 C.F.R. § 800.241 (a)(1)(ii)(C). In addition, data that can be used to determine physical and mental health, consumer credit, biometrics and financial distress also fall within the FIRRMA definition of “sensitive personal data.” 31 C.F.R. §800.241 (a)(1)(ii)(A-B, D, F-G).
According to the regulations, a U.S. business that “maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens” is a TID U.S. business. Any “control transaction” or “covered investment” involving a TID U.S. business is subject to CFIUS review. Unlike a control transaction, which requires that the foreign person acquire control the U.S. business following a transaction covered by the 2008 CFIUS regulations, a covered investment can now refer to a non-controlling investment that affords the foreign person any of the following rights: (i) access to material non-public technical information; (ii) membership or observer rights on the board of directors or an equivalent governing body of the business or the right to nominate an individual to a position on such body; or (iii) any involvement, other than through voting of shares, in substantive decision making regarding sensitive personal data of U.S. citizens, critical technologies, or critical infrastructure. Accordingly, a non-controlling foreign investment in a U.S. insurance business is now subject to CFIUS review.
Importantly, the new regulations define sensitive personal data in three parts. First, sensitive personal data must be “identifiable data,” meaning that it “can be used to distinguish or trace an individual’s identity, including without limitation through the use of any personal identifier.” Aggregated or anonymized data is not covered if a party to the transaction lacks the ability to disaggregate or de-anonymize the data. Encrypted data may also be excluded if the U.S. business does not have the ability to de-crypt the data or trace an individual’s identity through the data. Second, the identifiable data must be maintained or collected by a U.S. business that (i) targets or tailors products to U.S. national security agencies or their personnel, (ii) has maintained or collected such data on more than one million individuals at any point over the preceding twelve months, or (iii) has a demonstrated business objective to maintain or collect data on over one million individuals, and the data is an integrated part of the U.S. business’s primary products or services. It is worth noting that these data thresholds are not limited to U.S. citizens. Third, the identifiable data must fall into one of the categories enumerated in the regulations above.”
As the third part in particular makes clear, the definition of sensitive personal data will subject covered investments in U.S. insurance businesses to increased scrutiny from CFIUS. Although a CFIUS filing is not necessarily required, a U.S. insurance business should consider making a voluntary notice filing with CFIUS. Alternatively, the U.S. insurance business could file a declaration, which is an abbreviated version of the voluntary notice. Note, however, that the declaration is mandatory if a covered investment results in the acquisition of a “substantial interest” in a U.S. business by a foreign person in which a foreign government has a substantial interest. The regulations define a substantial interest as “a voting interest, direct or indirect, of 25 percent or more by a foreign person in a U.S. business and a voting interest, direct or indirect, of 49 percent or more by a foreign government in a foreign person.” Consistent with the definition of a covered investment, the definition of a substantial interest does not require voting control, by either the foreign person or the foreign government.
Importantly, the making of a loan or other similar financing arrangement by a foreign person to a U.S. insurer is not, by itself, a covered transaction. 31 C.F.R. § 800.306. However, in the event that an imminent or actual default gives rise to a “significant possibility” that the foreign person may (a) obtain control of the U.S. insurer, or (b) acquire an equity interest and any of the access or rights described in the definition of a “covered investment,” then CFIUS will accept a notice or declaration relating to the loan or other similar financing arrangement. Accordingly, a loan made by a foreign lender to a financially healthy U.S. insurer should not, as a general matter, raise concerns about CFIUS filing obligations.
Whether a voluntary notice or a mandatory declaration, the decision of whether to file, and if so, what to file, should be made in close consultation with CFIUS counsel. Additionally, and in advance of any decision to file, U.S. businesses in the insurance sector are encouraged to consider the risks posed by their maintenance and collection of sensitive personal data, together with any safeguards to counteract those risks.