ARTICLE
23 June 2025

DOJ's Bulk Data Transaction Rule: How To Meet The Data Security Program Requirements

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
In the first article of this series, titled "Navigating the DOJ's Final Rule: Data Security Program Insights and Compliance," we introduced...
Worldwide Privacy
David Manek,Akshay Dhawan, and Ankur Sheth

In the first article of this series, titled "Navigating the DOJ's Final Rule: Data Security Program Insights and Compliance," we introduced Executive Order 14117, "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern," and highlighted key components of the Department of Justice's (DOJ) Final Implementing Rule. This rule outlines specific requirements for Restricted Transactions.

Generally, transactions involving bulk sensitive personal data or government-related data, especially those involving cross-border transactions to countries of concern like China, are classified as "Restricted Transactions." Pursuant to the DOJ's Final Rule, organizations with Restricted Transactions must implement specific security measures to prevent or limit access by countries of concern or covered persons. These measures are outlined in the DOJ's required Data Security Program (DSP) and the Cybersecurity and Infrastructure Security Agency's (CISA) security requirements, enforcing the Executive Order.

The DOJ's Final Implementing Rule mandates the establishment of a Data Security Program in which organizations must: 1) adhere to the CISA security requirements, 2) develop and implement a Data Compliance Program, 3) conduct regular audits, and 4) fulfill certain recordkeeping obligations.

Our second article, titled "DOJ's Bulk Data Transaction Rule: Implementing the CISA Security Requirements for Restricted Transactions," focused on strategies for implementing the CISA security requirements within the context of Restricted Transactions. This article provides considerations for implementing the remaining components within the DSP, including the Data Compliance Program, regular audits, and recordkeeping obligations.

Data Compliance Program1:

  • Due Diligence:
    • Risk-Based Procedures for Verifying Data Flows and Logging: Organizations must establish and implement risk-based procedures for verifying data flows involved in Restricted Transactions. These procedures must include auditable verification and logging of: (1) the types and volumes of bulk U.S. sensitive personal data or government-related data involved; (2) the identities of the transaction parties, including details on entity ownership and the citizenship or primary residence of individuals; and (3) the intended use of the data and the method of its transfer.
    • Vendor Management and Validation: Organizations must incorporate risk-based procedures to verify the identity of vendors for Restricted Transactions involving vendor agreements. Specifically, organizations are required to screen vendors to determine if they qualify as covered persons, which includes entities located in countries of concern or owned 50% or more by such entities.
    • Written Data Compliance Program Policy: Organizations must include a written policy outlining the program, which should be annually certified by an officer, executive, or employee responsible for compliance. To ensure robustness, written procedures should accurately reflect the organization's daily operations, be easy to comply with, facilitate straightforward compliance verification, and prevent employee misconduct. Ideally, companies should effectively communicate and ensure an understanding of the program's policies and procedures among all relevant staff, including those in compliance functions, key business units like sales or vendor procurement teams, security personnel, and third parties executing relevant duties on behalf of the organization.
    • Written Security Requirements Policy: Organizations must implement a written policy detailing the implementation of the CISA security requirements. This policy must be annually certified by an officer, executive, or employee responsible for compliance.
  • Training Personnel: While not explicitly mandated by the DSP, U.S. persons engaged in restricted transactions should consider offering regular training — ideally, at least annually — on the Data Compliance Program and CISA security requirements to pertinent employees and personnel.
  • Audit Requirements: Organizations involved in restricted transactions are required to conduct comprehensive, independent, and objective audits. To ease compliance burdens, audits completed for other purposes may be used to meet DSP requirements, provided they address the DSP's criteria. While a separate audit is not necessary, it must be conducted once per calendar year for any restricted transaction, covering the preceding 12 months.
  • Recordkeeping and Reporting Requirements:
    • Recordkeeping Requirements: The DSP recordkeeping requirements mandate that U.S. persons engaging in transactions subject to DSP maintain full and accurate records, accessible for at least ten years. Annually, a senior official must certify the completeness and accuracy of the company's recordkeeping, supported by an audit.
    • Reporting Requirements: Organizations must maintain and provide complete information under oath regarding any act or covered data transaction, in the form of reports or otherwise.
  • Involvement of Senior Management and Compliance Personnel: An officer, executive, or employee responsible for compliance will need to annually certify: (1) the implementation and due diligence efforts of the company's Data Compliance Program; (2) the implementation of applicable CISA security requirements; and (3) the completeness and accuracy of recordkeeping, supported by an audit.
  • Annual Reporting Requirement: Certain organizations may be required to file an annual report with the National Security Division detailing transactions from the previous calendar year. These reports must be submitted by March 1 of the following year. This requirement applies to organizations engaged in restricted transactions involving cloud-computing services with 25% or more of their equity interests owned, directly or indirectly, by a country of concern or covered person.

Ankura is actively engaging with organizations on the evaluation and implementation of the required Data Security Program. Contact Ankura's cybersecurity and data privacy team for more information and specific planning recommendations.

Footnote

1. Data Security Program: Compliance Guide. DOJ. April 11, 2025. Pg. 11.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of David Manek
David Manek
Photo of Akshay Dhawan
Akshay Dhawan
Photo of Ankur Sheth
Ankur Sheth
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More