America First: Mergers, Acquisitions, and the Data Factor – Understanding the Requirements of CFIUS Reviews
Editor’s Note: On February 21, 2025, The White House released the America First Investment Policy. The implications of this memorandum are clear: the U.S. government is focused on enhancing its legal and regulatory tools to safeguard national security by carefully scrutinizing foreign investments, particularly those from adversarial nations. CFIUS will play a critical role in enforcing these protections and ensuring that foreign capital does not compromise critical U.S. assets, technologies, or infrastructure. It also underscores the importance of monitoring and blocking investments that could advance the military or intelligence capabilities of foreign adversaries, particularly through the use of advanced technology and strategic sectors. As the posture of the new Administration encourages increased cross-border investments and acquisitions, so does the complexity of handling regulatory scrutiny—especially regarding data security. CFIUS has become a critical gatekeeper in assessing national security risks, often hinging on how organizations manage and protect sensitive data. In this article, HaystackID’s Senior Vice President of Information Governance and Data Privacy, Matthew L. Miller, Esq., takes readers through the challenges of CFIUS compliance, the hidden risks within unstructured data, and the real-world implications of inadequate security measures. The article details case studies, including the technology sector organizations of Edmodo and TikTok, and why proactive data management, stringent access controls, and independent security validation are essential. Whether preparing for a CFIUS review or looking to strengthen data governance, learn why understanding these risks and solutions is more critical than ever.
America First: Mergers, Acquisitions, and the Data Factor – Understanding the Requirements of CFIUS Reviews
By HaystackID Staff
The United States recognizes the value of foreign investment in boosting economic growth, creating jobs, and fostering innovation. However, it is clear that certain foreign investments pose significant national security risks, especially from adversarial nations such as the People’s Republic of China (PRC), founded in 1949 by the Chinese Communist Party (CCP), officially the Communist Party of China (CPC).
Simultaneously, we consistently hear about the exponential growth of data, further complicating matters and requiring greater domestic investment to protect that data. In large-scale mergers and acquisitions, companies need to manage petabytes of data—equivalent to billions of pages of text or thousands of hours of high-definition video. That vast volume poses immense challenges, particularly for companies undergoing CFIUS reviews.
“People don’t always seem to understand just how much data they create daily and why it matters so much where it is stored on the network or in which application, and how that data is managed,” said Matthew L. Miller, Esq, Senior Vice President of Information Governance and Data Privacy at HaystackID®. “And then we look at companies involved in CFIUS matters—managing so much information while trying to balance enforcement of new security obligations, that’s a whole other ballgame.”
The Data Problem in CFIUS Reviews: More Than Meets the Eye
Companies looking to adhere to stringent CFIUS regulations often face the challenge of implementing new controls on massive, unstructured data repositories they haven’t previously had to fully assess. That all changes when a company engages with foreign investors, where U.S. government scrutiny begins, and the potential for strict controls over sensitive information may follow suit.
“Now, you have to make sure petabytes of data not only are not accessible by a foreign entity whether intentionally or by mistake,” Miller explained. “But you also have to ensure that all of your critical intellectual property and sensitive information is securely locked down and will not fall into the hands of our foreign adversaries.”
When working with companies over the years on these reviews, Miller often faces the same narrative: the IT department strongly states that no controlled unclassified information (CUI), protected intellectual property, or sensitive data exists in specific applications—only to be proven wrong.
“We always find it. And it wasn’t because someone was actually trying to steal information and compromise U.S. national security; usually, it happens because an employee who’s just trying to do their job unintentionally forgot to delete it or forgot that they were not supposed to save this kind of data in that location,” Miller said. “You don’t always find this information in the most obvious places. You have to look in the nooks and crannies of each application to be sure.”
A rogue employee may download a file to their personal account rather than saving it on OneDrive. A developer may also take screenshots of user-profiles while making interface changes, inadvertently exposing names, birthdays, and other sensitive information. That image, shared on collaboration platforms like Teams or stored in a GitHub repository for reference, leaves an organization vulnerable in the eyes of CFIUS monitors. Critical technology, code, algorithms, personal data, and other sensitive information can quickly become subject to exfiltration, having spread beyond its intended scope, potentially jeopardizing U.S. national security.
Miller emphasized the importance of reviewing end-user controls (including rights, permissions, and access) combined with robust data management and application security, saying: “While this seems daunting at first due to the sheer volume of data and number of applications subject to inspection, by implementing updated processes, adopting new methodologies and classification protocols, and regularly reviewing security controls, organizations make this achievable. Also, strong project management makes all the difference when tracking compliance with the various National Security Agreement (NSA) obligations.”
Real-World CFIUS Compliance in Action
The America First Investment Policy directs CFIUS to strengthen its oversight over foreign investments, particularly from PRC-affiliated entities. This policy includes reviewing “greenfield” investments (new companies or operations) and expanding CFIUS’s authority over emerging technologies such as AI, quantum computing, and biotechnology.
When a Chinese video game company acquired Edmodo, a U.S.-based student education platform with over 25 million U.S. student users and their parent’s contact information, this deal triggered a CFIUS review due to the volume of sensitive personal U.S. citizen data stored on its platform. HaystackID was engaged as the Third-Party Provider to help the company meet its compliance obligations. The stakes were high: failure to comply could have resulted in steep fines or even a forced divestiture.
Miller described some of the key measures taken to protect the platform’s sensitive data. “To ensure compliance, our team implemented structured security measures, from strict screened personnel restrictions, preventing, for example, unauthorized access by China-based affiliates to repositories containing more than a petabyte of U.S. citizen’s personal and sensitive data. This step ensured that only vetted U.S.-based personnel could interact with the sensitive data, significantly reducing the risk of data exposure.”
Next, the HaystackID team conducted a thorough technology assessment process to identify vulnerabilities and close those gaps with right-sized critical data protection technologies, including Data Loss Prevention (DLP) and Enterprise Identity Access Management (EIAM). These tools were integrated to actively monitor and restrict access to sensitive information, ensuring that data movement within the organization remained secure and auditable.
Another crucial step was gaining the Committee Monitoring Agency (CMA) representatives from the DoD and Department of State approval for HaystackID’s plan to relocate all identified protected data to approved storage locations, such as Amazon S3 buckets, where stringent security controls and encryption mechanisms could be applied. Centralizing data storage in pre-approved, monitored environments drastically mitigated the risk of unauthorized access.
Finally, as Edmodo prepared to exit the U.S. market due to a shift in corporate strategy, our team developed and executed wind-down protocols for secure data disposal. This process also needed to pass CFIUS CMA inspection. These protocols ensured that no residual data could be accessed post-exit, closing any potential loopholes for U.S. national security risks.
“Even after a company winds down operations, compliance obligations don’t just disappear overnight. It took over 12 months after Edmodo exited the U.S. for all security measures to be fully validated and approved by regulators. That’s why having the right expertise from the start is critical to a smooth transition,” Miller shared.
The Growing Stakes of Data Security in CFIUS Reviews
As global data volumes continue to skyrocket, and as reflected in the President’s memorandum, foreign adversaries, including China, Russia, Iran, North Korea, and others, will require greater scrutiny, especially investments coming from PRC-affiliated individuals or entities, particularly those that may support the PRC’s Military-Civil Fusion strategy. Thus, the scrutiny around CFIUS compliance is only intensifying. The risks of failing to protect critical data—whether from foreign adversaries, cyber threats, insider leaks, or lack of employee training—can have severe consequences, ranging from forced divestitures to legitimate threats to U.S. national security. This challenge extends beyond any single organization. Many companies, especially those in high-tech industries, are only beginning to realize the extent of their data exposure.
“The reality is, investments in critical infrastructure, health care, energy, agriculture, and defense-related sectors will be heavily regulated, and yet most organizations don’t fully understand where their sensitive data lives or how it’s being accessed until they’re forced to,” Miller noted. “By then, in sectors such as semiconductors, artificial intelligence, quantum, biotechnology, and aerospace, it’s often too late, and they’re scrambling to remediate security gaps.”
Real-World Proactive Security Compliance Validation in Action
CFIUS compliance is not a quick fix or one-time process—it requires concrete actions that companies can complete within a specific time, as per the America First policy. Continuous oversight, testing, and adaptation to evolving threats can satisfy these goals. A prime example of independent security validation in action is HaystackID’s role as an Independent Security Inspector (ISI) for TikTok U.S. Data Security, which provides security and controls for all U.S. TikTok data. As part of its efforts to comply with anticipated U.S. government security mandates, TikTok engaged our team to perform red team application vulnerability testing, source code review and analysis, and network penetration security evaluations.
“After our first six months of testing, we delivered an interim report analyzing the results from our team of 80 cybersecurity specialists. We validated that protected U.S. user data is currently secure and also validated that no unauthorized data sharing was taking place via the areas of the network and applications examined,” said Miller.
The lessons from cases like TikTok bring to light a larger trend: independent oversight is becoming a cornerstone of CFIUS compliance. Whether companies are dealing with sensitive user data, proprietary software, or critical infrastructure, having an independent security validation mechanism in place and CFIUS trusted monitors delivering that message ensures continued compliance with national security obligations, thus allowing companies to benefit from foreign investment substantially. To address these challenges, companies must implement proactive data protection, enforce stringent access controls, and conduct ongoing security audits. CFIUS compliance is not a point-in-time process—it requires continuous oversight, testing, and adaptation to evolving threats, especially those from foreign adversaries.
Learn how HaystackID’s CFIUS Compliance Advisory Services can help your organization protect critical data, maintain regulatory compliance, and mitigate national security risks.
About HaystackID®
HaystackID® specializes in solving complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, the HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by ReviewRight®. Recognized globally by industry leaders like Chambers, Gartner, IDC, and Legaltech News, HaystackID prioritizes security, privacy, and integrity in its innovative solutions for leading companies and legal practices worldwide.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID