In the Biden Administration’s continuing effort to reduce the risk of cybersecurity spyware from foreign adversaries, including Russia, the United States Department of Commerce (Commerce) issued a final rule (Rule) on June 16, 2023, entitled “Protecting Americans’ Sensitive Data from Foreign Adversaries” and also amended a previously issued rule (“Securing the Information and Communications Technology Supply Chain”) that had been published under a Biden Executive Order. The new Rule gives Commerce authority to prohibit or regulate communications technology or services connected to foreign adversaries that pose a risk to national security, including software.

For the first time using the authority provided by the Rule, on June 19, 2024, Commerce issued a final determination prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries, and parent companies from “directly or indirectly” providing anti-virus software and cybersecurity products or services in the U.S. According to Commerce, “Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use. The full list of prohibited transactions can be found here. ” Kaspersky has until September 29, 2024, to cease doing business in the U.S. and provide existing customers anti-virus and codebase updates until that time.

Kaspersky has been selling software and services in the U.S. for years, so it is no doubt embedded in company cybersecurity programs throughout the U.S. according to Commerce:

            “Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination. However, any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so.”

Commerce determined that Kaspersky posed an undue or unacceptable risk to national security because “the ability to gather valuable U.S. business information, including intellectual property, and to gather U.S. persons’ sensitive data for malicious use by the Russian Government, pose an undue or unacceptable national security risk and therefore prohibits continued transactions involving Kaspersky’s products and services.”

On June 20, 2024, in coordination with Commerce, the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated twelve executives and senior leadership from Kaspersky to the OFAC sanctions list. If you are using Kaspersky products or services, the final determination has a meaningful impact on your organization. This means that as of June 19, 2024, Kaspersky will no longer be able to provide support for any of its products or services in the U.S., and its executives are listed on the OFAC sanctions list. You may wish to heed Commerce’s recommendations if you hare in this position.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.