Cybersecurity month starts with a critical compliance date for the Department of Justice (DOJ)'s Data Security Program (DSP). Starting on Oct. 6, any U.S. person or company handling Americans' bulk sensitive or personal data or U.S. government-related data must implement a written data compliance program that lays out specified due diligence, audit, reporting, and recordkeeping processes for covered data transactions.
As we previously covered in a June 2025 GT Alert, the DSP imposes new regulations and security requirements that govern cross-border data flows and transactions. The DSP, which initially went into effect this Spring with a limited enforcement window, broadly impacts both U.S. and non-U.S. persons, including thousands of small business firms.
During the current shutdown period, companies may expect DSP to remain a high priority for DOJ's National Security Division, which stated in this week's contingency plan that excepted employees will focus on efforts including export control, sanctions violations, and cybersecurity prosecutions and investigations.
By Oct. 6, all impacted persons and companies must be in full compliance with the DSP, including these forthcoming requirements:
- Data Compliance Program: U.S. persons and companies must implement a written data compliance program that includes risk-based procedures to verify and log data flows for restricted transactions. Specifically, the program must cover the types and volumes of government-related or bulk U.S. sensitive personal data involved, the identity of all transacting parties and vendors, and the end-use and method of data transfer. The data compliance programs must be certified annually by a responsible officer or employee. 28 C.F.R. 202.1001.
- Audit and Report for Restricted Transactions: Any U.S. person or company engaging in certain restricted transactions covered by the DSP must conduct an annual independent audit covering the previous 12 months. The audit must be performed by a qualified auditor who is not affiliated with any covered persons or countries of concern. Within 60 days of completion, the auditor must submit a detailed, written report that must be retained for at least 10 years. 28 C.F.R. 202.1002.
- Annual Reports: Any U.S. person or company engaged in restricted cloud-computing transactions with 25% or more ownership by a "country of concern" or covered person must file an annual report by March 1 covering transactions as of Dec. 31 of the previous year. The report must include the U.S. person's contact information, details of the transaction, copies of related documentation, and any other information required by DOJ. 28 C.F.R. 202.1103.
- Reports on Rejected Prohibited Transactions: Any U.S. person or company who receives and affirmatively rejects—including through automated means—an offer to engage in a prohibited data brokerage transaction must file a report within 14 days of the rejection. The report should include the U.S. person's contact information, details of the rejected transaction, copies of relevant documentation, and any other information required by DOJ. 28 C.F.R. 202.1104.
Businesses should assess their data inventory, data flows, and vendor relationships to determine their DSP compliance postures. Potential penalties for violations under the DSP may be severe, including civil and criminal liability risks, and investigations pursuant to whistleblower actions.
To better understand these obligations and early enforcement trends, Greenberg Traurig is hosting an informational presentation on Oct. 15. to help organizations learn more about and prepare for the upcoming requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
