Navigating The DOJ's Final Rule On Bulk Sensitive Data Transactions: Data Security Program Insights And Compliance

On Feb. 28, 2024, President Biden issued Executive Order 14117, titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." This executive order aims to protect sensitive data from foreign adversaries by restricting or prohibiting transactions involving bulk sensitive personal and government-related data, as well as entities from designated countries of concern.

• Bulk sensitive personal dataincludes information about individuals — such as financial, biometric, geolocative, and health data — collected or maintained beyond a specified threshold (e.g., 10,000 or 100,000 individuals).
• Government-related datarefers to information held by the U.S. government or its agencies.
• Countries of concerninclude China, Cuba, Iran, North Korea, Russia, and Venezuela, along with certain individuals and entities associated with these nations.

In general, transactions involving bulk sensitive personal data or government-related data — which involve cross-border data transactions to countries of concern — are considered "restricted transactions." Pursuant to the Department of Justice's (DOJ) Final Rule, organizations with restricted transactions must implement specific security measures to prevent or limit access by countries of concern or covered persons. These security measures are outlined in the DOJ's required Data Security Program (DSP) and Cybersecurity and Infrastructure Security Agency's (CISA) security requirements, which implement the executive order.

Specifically, the provisions regulating restricted transactions are intended to prevent access to government-related or bulk U.S. sensitive personal data by covered persons or countries of concern.¹ In most cases, the implementation of the CISA security requirements will lead to scenarios that involve denying access outright or implementing data-level mitigation requirements, which will have a similar outcome to denying access.

This article series aims to unpack the DOJ's final rule and provide a compliance strategy for implementing the requirements of the DOJ's DSP. To comply with the DSP requirements for restricted transactions, organizations must:

1. Implement the CISA security requirements.
2. Develop and implement a Data Compliance Program.
3. Conduct regular audits.
4. Meet certain recordkeeping requirements.

Given the tight timeframe for implementing the DSP, we want to highlight recent related regulatory guidance:

• Security Requirements for Restricted Transactions:Shortly after the DOJ issued the Final Rule, in January 2025, the U.S. CISA published "Security Requirements for Restricted Transactions." These requirements aim to reduce the risk of sharing U.S. government-related data or large volumes of sensitive U.S. data with countries of concern or covered individuals through restricted transactions.
• DOJ Guidance:In April 2025, the DOJ issued three supporting documents to further guide the implementation of Executive Order 14117:
  1. Data Security Program Implementation and Enforcement Policy:This document, titled "Data Security Program: Implementation and Enforcement Policy Through July 8, 2025," grants a 90-day extension to July 8, 2025, for organizations to continue implementing necessary changes to comply with the DOJ's Final Rule, provided they are making good-faith efforts. On July 8, 2025, the limited enforcement rule expires, and by Oct. 6, 2025, organizations must comply with all sections of the law.
  2. Data Security Program Compliance Guide:This document, issued by the DOJ in April 2025 and titled "Data Security Program: Compliance Guide," provides general information to assist organizations in complying with the Final Rule and to support a better understanding of the scope of the DSP.
  3. Data Security Program: FAQ:This document, issued by the DOJ in April 2025 and titled "Data Security Program: Frequently Asked Questions," offers answers to over 100 questions, providing clarifying responses.

In the second article of this series, we will delve into the CISA security requirements for restricted transactions, which represent the largest obligation of the DSP. In the third article, we will review additional aspects of the DSP, including the Data Compliance Program, auditing requirements, and recordkeeping requirements.

Ankura is actively engaging with organizations to evaluate and implement the required DSP. Contact Ankura's cybersecurity and data privacy team for more information and specific planning recommendations.

Interested in learning more? Don't miss our complimentary live masterclass on June 18, 2025:

Practical Approaches to Preventing Access to Americans' Sensitive Data under Executive Order 14117- Legal & Technical Strategies for implementing the DOJ's Final Rule and the required Data Security Program

Join us for an exclusive CLE-eligible live masterclass with cybersecurity, data privacy, and international trade professionals from Baker McKenzie and Ankura, where they will share how to implement a successful Data Security Program that complies with the DOJ's Final Rule on Restricted Transactions.

Gain insights into the regulatory and international trade landscape and learn program best practices and strategies to meet the DOJ's Final Implementing Rule.

Footnote

1 Data Security Program: Frequently Asked Questions.DOJ. April 2025. FAQ 66.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.