One Expert, One Topic — Loyaan Egal Talks Data, National Security, and Knowing Yourself

One Expert, One Topic — Loyaan Egal Talks Data, National Security, and Knowing Yourself

  • Post author:
  • Post category:
    guru

Loyaan Egal is, quite literally, an African American—born to a Somali father and an American mother.

That kind of cultural whiplash—ninth grade in Saudi Arabia, tenth grade in New York City—does something to you. In Loyaan’s case, it taught him how to adapt fast, read his environment, and say yes when opportunities showed up in unusual packaging.

And he’s said yes to a lot: from interning in the music industry while attending St. John’s University—rubbing shoulders with names like Notorious B.I.G. and Mary J. Blige—to serving as a federal prosecutor in Manhattan and D.C., to running national security risk reviews involving foreign investment, telecommunications, and ICTS supply chain at the Department of Justice. Most recently, he served as Chief of the Enforcement Bureau at the FCC, where he helped lead the agency’s work on robocalls, national security, fraud enforcement, and the focused push to address privacy, data protection, and cybersecurity concerns by protecting U.S. communications networks and the sensitive data that traverse them as head of the FCC’s Privacy and Data Protection Task Force.

He’s now in private practice as a partner at Morgan Lewis, where he helps companies—especially tech and telecom players—navigate that fast-shifting convergence of data, foreign investment/participation, and national security.

About The Series

This is the twenty-first installment in the “One Expert, One Topic” series, where field experts select a topic and share essential insights using Matt Abrahams’ What/So-What/Now-What format. Presented in written form, it allows you more time to absorb the topic and guides you on where to go for further learning. We are grateful to our contributors for sharing their wisdom in this format.

What

The US government is drawing a harder line around bulk sensitive personal data—especially when it involves foreign investors, data brokers, or third parties in countries like China or Russia.

The Department of Justice’s new data security program under Executive Order 14117 is aimed squarely at companies that handle sensitive categories of data: biometrics, precise geolocation, financials, genomic information, and personal identifiers like phone numbers, IP addresses, or advertising identifiers that in combination with other personal identifying information raises the sensitivity of the data—especially when that data could be accessed by, sold to, or shared with a country of concern.

For companies that touch customer data—particularly MarTech, CPaaS, and AI-driven platforms—this isn’t theoretical. It’s operational. If your product touches the wrong type of data or involves the wrong third party, you could be labeled a national security risk.

So What

This is the kind of issue that starts as a compliance question and ends as an existential threat.

A growing number of tech companies—especially those calling themselves “AI companies”—are turning into massive collectors of user data. Not just CDRs and phone numbers, but geolocation, behavior, device intelligence, clickstreams, and transaction metadata. And once you cross into that terrain, you don’t get to decide whether you’re in national security territory—the government does.

Loyaan’s time at DOJ and the FCC gave him a front-row seat to how those decisions get made. The risk calculus is straightforward but unforgiving:

  • What data do you collect?
  • Who touches or has access to it (vendors, investors, resellers)?
  • Can it be used to profile US citizens or institutions?
  • And if yes, can the risk be mitigated—or is it time to shut it down?

The cost of waiting until you’re flagged is enormous: civil and/or criminal penalties, blocked transactions, forced divestitures, and regulatory freezes that can erase years of product development.

And for those in the CPaaS or messaging world who’ve expanded their platforms to include CRM, behavior tracking, or engagement analytics, it’s even more urgent. As Loyaan put it: “You don’t have to be hacked if you’re just selling it to a data broker.” That’s the level of scrutiny we’re now operating under.

Now What

If you’re building, selling, or aggregating customer data—especially for targeting, personalization, or analytics—it’s time to ask yourself five key questions:

  1. Are we collecting data that falls into one of the sensitive categories: biometrics, financials, precise geolocation, or personal identifiers?
  2. Do any of our vendors, resellers, or investors fall under foreign ownership, control, or jurisdiction of a “country of concern”?
  3. Are we in—or could we be pulled into—a covered transaction under EO 14117 or related supply chain reviews?
  4. Have we reviewed our data flows, contracts, and systems through a national security lens—not just a privacy or compliance one?
  5. Do we know our customer? More importantly: do we know ourselves?

As Loyaan said, “The government isn’t an expert in your technology or your business model. You have to be able to explain it to them—before someone else does.”

You can connect with Loyaan Egal via LinkedIn or his work at Morgan Lewis. For anyone building at the intersection of AI, communications, and consumer data—this isn’t a wait-and-see moment. It’s a know-thyself moment. And the stakes are only getting higher.

Tags: