Sponsors (2)
The bill empowers U.S. agencies to locate and act against stolen U.S. data overseas—potentially reducing harm to businesses and patients and improving oversight—while creating significant privacy risks, chances of service disruption, possibility of foreign retaliation, and added fiscal costs.
U.S. government agencies (affecting taxpayers, financial institutions, hospitals/health systems, small businesses) will be authorized and directed to locate and, when appropriate, recover, destroy, or otherwise act on stolen U.S. financial, medical, biometric, IP, and trade-secret data held by foreign entities, improving incident response and reducing ongoing harm from exposed trade secrets or PII
Congress and the public will receive an unclassified report with recommendations within one year, increasing transparency and enabling legislative oversight of these operations
Lawful U.S. owners (e.g., affected companies, hospitals) will be notified before and/or after actions when practicable, giving them an opportunity to prepare or coordinate remediation
U.S. authorization to access or manipulate data held abroad expands government intrusion into private data and raises significant privacy and civil‑liberty concerns for Americans whose data may be targeted or accessed
Operations to destroy or manipulate data located overseas risk collateral damage to legitimate foreign-hosted systems and services (including financial and medical systems), potentially disrupting services Americans rely on
Military and intelligence cyber operations against foreign-held data could provoke retaliation or escalate cyber conflict with foreign states, increasing risks to U.S. networks, commerce, and national security
Based on analysis of 2 sections of legislative text.
Directs DoD and DNI to find stolen U.S. encrypted data and classified information held abroad and, when in the U.S. economic or national security interest, attempt recovery, destruction, or manipulation and report to Congress.
Introduced March 26, 2026 by Margaret Wood Hassan · Last progress March 26, 2026
Requires the President, through the Secretary of Defense and the Director of National Intelligence, to create strategies to find covered U.S. data and classified information that foreign entities hold unlawfully, determine if it was encrypted and whether it has been decrypted, and develop ways to address that stolen material. The Secretary of Defense and the DNI may jointly decide to attempt recovery, destruction, or manipulation of such material when doing so is in the United States’ economic and national security interest, and must submit a joint unclassified report (with a classified annex if needed) to Congress within one year with recommendations. The law defines covered data to include financial, medical, biometric data, intellectual property, and trade secrets of U.S. persons, and ties definitions of "classified information" and "United States person" to existing U.S. code references; it also says agencies should, when practicable, notify lawful owners before and after operations affecting their stolen data.