The U.S. Department of Justice's new Data Security Program (DSP) became effective on April 8, 2025, representing a major development in national security law that imposes rigorous requirements and enforcement mechanisms to protect sensitive U.S. data from foreign adversaries. The DOJ has clarified that the DSP constitutes a national security measure focused on collective risks posed by foreign adversaries, not a privacy regulation focused on individual rights.
For companies that may handle U.S. sensitive personal data or government data, is it is critical to understand the DSP's prohibitions and restrictions, compliance demands, enforcement timelines, and potential penalties to navigate this complex regulatory landscape.
Background and Important Dates
The DOJ established the DSP pursuant to Executive Order (EO) 14117, issued by President Biden on February 28, 2024. EO 14117 is titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" and declared that the efforts by certain foreign countries "to access Americans' sensitive personal data and United States Government-related data constitutes an unusual and extraordinary threat."
On October 18, 2024, the DOJ National Security Division (NSD) issued a notice of proposed rulemaking (NPRM) describing the DSP, and the Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) concurrently published proposed security requirements for protecting data covered by the DSP. On December 26, 2024, the DOJ published the final DSP rule, which became effective on April 8.
On April 11, the DOJ announced a 90-day grace period in which it would not pursue enforcement actions for violations. But this pause ended on July 8, 2025, and the DOJ NSD warned that "individuals and entities should be in full compliance with the DSP and should expect NSD to pursue appropriate enforcement with respect to any violations."
Importantly, certain provisions related to implementation of data compliance programs, annual audits, and reporting requirements have a delayed compliance date and do not become effective until October 6, 2025.
Data Security Program
The DSP is aimed primarily at preventing access by designated "countries of concern" — currently China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela — and "covered persons" tied to those nations from obtaining bulk U.S. sensitive personal data or government-related data. The DSP regulations apply broadly to U.S. persons (individuals and entities) and their transactions involving this data, including data brokerage, vendor agreements, employment agreements, and investment agreements. ("Data brokerage" includes "the sale of data, licensing of access to data, or similar commercial transactions" involving transfer from a provider to a recipient.) Notably, the covered data includes bulk sensitive data even if anonymized, pseudonymized, de-identified, or encrypted.
Under the DSP, "covered data transactions" are categorized as either "prohibited" or "restricted" transactions. Prohibited transactions generally relate to data brokerage involving countries of concern or access by countries of concern to bulk U.S. "human `omic data." Human `omic data means human genomic data, human, epigenomic data, human proteomic data, and human transcriptomic data. Prohibited transactions may not be entered into without authorization from NSD in the form of either a general license or specific license. A general license, much like with U.S. economic sanctions administered by the Department of Treasury Office of Foreign Assets Control, authorizes a class of transactions and is not limited to a particular person.
Other covered data transactions, like vendor agreements, investment agreements, and employment agreements are "restricted." A U.S. person may proceed with a restricted transaction only after meeting the finalized CISA cybersecurity requirements published concurrently with the final DSP rule.
Compliance Requirements
With the DSP comes new compliance requirements for U.S. persons that may interact with bulk U.S. personal data or government-related data. With important exceptions, the compliance requirements largely relate to "restricted" transactions because "prohibited" transactions may not move forward without a license, which would typically include its own compliance conditions.
- Risk Assessments and Due Diligence: The first and most obvious compliance requirement is conducting due diligence and risk assessment analyses to determine whether a transaction is a "covered data transaction." After making this determination, the U.S. person must determine whether the transaction is restricted or prohibited.
- Contractual Controls: U.S. persons engaging in data brokerage transactions with foreign persons that do not involve countries of concern or "covered persons" must include contractual language prohibiting the foreign person from engaging in "onward transfer or resale" of government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons. U.S. persons should also take reasonable steps to verify that foreign counterparties comply with these contractual provisions.
- Cybersecurity Controls: Parties engaging in restricted covered data transactions must adhere to the CISA security requirements for restricted transactions.
- Data Compliance Program: No later than October 6, 2025,
U.S. persons engaging in a restricted covered data transaction must
implement a data compliance program with specified requirements,
including:
- Risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log, in an auditable manner, the following:
(i) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;
(ii) The identity of the transaction parties, including any ownership of entities or citizenship or primary residence of individuals; and
(iii) The end-use of the data and the method of data transfer;
-
For restricted transactions that involve vendors, risk-based procedures for verifying the identity of vendors;
- A written policy that describes the data compliance program and that is annually certified by an officer, executive, or other employee responsible for compliance; and
- A written policy that describes the implementation of the CISA security requirements and that is annually certified by an officer, executive, or other employee responsible for compliance.
- Annual Auditing: Beginning October 6, 2025, U.S. persons engaged in restricted transactions require annual independent audits certifying compliance with CISA security requirements and other applicable DSP requirements.
- Reporting Prohibited Transactions: Beginning October 6, 2025, U.S. persons that have "received and affirmatively rejected (including automatically rejected using software, technology, or automated tools)" an offer to participate in a prohibited transaction involving data brokerage must report the prospective transaction to the NSD within 14 days.
Penalties
As mentioned above, beginning July 8, 2025, the DOJ NSD has authority to pursue civil or criminal penalties related to violations. The penalties are based on the International Emergency Economic Powers Act (IEEPA). Civil penalties can reach the greater of $368,136 or twice the value of the violating transaction. Willful violations risk criminal penalties including imprisonment of up to 20 years and fines up to $1 million.
Given the complexity and severity of the DSP, early and proactive compliance strategies are essential. As enforcement efforts intensify, full adherence to the DSP is now a national security imperative for organizations handling covered U.S. data. If you have any questions about the DOJ's new Data Security Program, please contact Torres Trade Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
