Don't Forget, October Brings New DOJ Data Security Program Obligations

As previously reported, October 6, 2025, marks the final deadline in the implementation of the Department of Justice's (DOJ) Data Security Program (DSP). As of that date, businesses dealing with U.S. bulk personal data or government-related data need to be compliant with due diligence, auditing, recordkeeping, and reporting requirements. The following compliance measures will be expected of any company engaging in covered data transactions:

Due Diligence and Audit Requirements

Due diligence for restricted transactions¹

By October 6, 2025, companies must at a minimum implement a data compliance program that includes the following:

• Risk-based procedures to verify data flows for any restricted transaction to include the types and volumes of government-related or bulk U.S. personal data, the identity of the transacting parties, and the end-use of the data and method of transfer;
• Risk-based procedures for verifying the identity of vendors;
• A written policy that describes the company's data compliance program that is annually certified by a compliance officer; and
• A written policy that describes the implementation of the necessary security requirements that are annually certified by a compliance officer.

Audits for restricted transactions²

U.S. persons engaged in restricted transactions must also annually conduct an audit by an independent auditor. The audit must consist of a full examination of the past year's restricted transactions and the U.S. person's data compliance program. The auditor must prepare and submit a written report within 60 days of completion of the audit.

Reporting and Recordkeeping Requirements

U.S. persons engaging in any restricted transaction must keep full records of such transactions and keep records available for examination for at least 10 years after the date of such transaction. Reports will also be required to be produced on demand for the Department of Justice in a usable format.

Annual reports³

Beginning on October 6, 2025, any U.S. person engaged in a restricted transaction involving cloud-computing services, and that has 25 percent or more of the U.S. person's equity interests owned by a country of concern or covered person, will need to file an annual report to the DOJ. The annual reports shall contain the following information:

• The name and address of the U.S. person engaging in the covered data transaction, and the name, telephone number, and email address of a contact from whom additional information can be obtained;
• A description of the covered data transaction;
• A copy of documentation created in reference to the transaction; and
• Any other information that the DOJ may require.

Reports on rejected prohibited transactions⁴

Any U.S. person that has received and affirmatively rejected an offer to engage in a prohibited transaction involving data brokerage must file a report within 14 days of rejecting the transaction. The reports shall contain similar information as required in the annual reports for covered restricted transactions.

Footnotes

1. See § 202.1001.

2. See § 202.1002.

3. See § 202.1103.

4. See § 202.1104.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.