ARTICLE
6 October 2025

Incoming Deadlines And Requirements For DOJ's Data Security Program On Oct. 6, 2025

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP has more than 2,850 attorneys across 49 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2025 BTI “Best of the Best Recommended Law Firm” by general counsel for trust and relationship management, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100, NLJ 500, and Law360 400. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.
Cybersecurity month starts with a critical compliance date for the Department of Justice (DOJ)'s Data Security Program (DSP). Starting on Oct. 6, any U.S. person or company handling Americans' bulk sensitive...
United States Technology

Cybersecurity month starts with a critical compliance date for the Department of Justice (DOJ)'s Data Security Program (DSP). Starting on Oct. 6, any U.S. person or company handling Americans' bulk sensitive or personal data or U.S. government-related data must implement a written data compliance program that lays out specified due diligence, audit, reporting, and recordkeeping processes for covered data transactions.

As we previously covered in a June 2025 GT Alert, the DSP imposes new regulations and security requirements that govern cross-border data flows and transactions. The DSP, which initially went into effect this Spring with a limited enforcement window, broadly impacts both U.S. and non-U.S. persons, including thousands of small business firms.

During the current shutdown period, companies may expect DSP to remain a high priority for DOJ's National Security Division, which stated in this week's contingency plan that excepted employees will focus on efforts including export control, sanctions violations, and cybersecurity prosecutions and investigations.

By Oct. 6, all impacted persons and companies must be in full compliance with the DSP, including these forthcoming requirements:

  • Data Compliance Program: U.S. persons and companies must implement a written data compliance program that includes risk-based procedures to verify and log data flows for restricted transactions. Specifically, the program must cover the types and volumes of government-related or bulk U.S. sensitive personal data involved, the identity of all transacting parties and vendors, and the end-use and method of data transfer. The data compliance programs must be certified annually by a responsible officer or employee. 28 C.F.R. 202.1001.
  • Audit and Report for Restricted Transactions: Any U.S. person or company engaging in certain restricted transactions covered by the DSP must conduct an annual independent audit covering the previous 12 months. The audit must be performed by a qualified auditor who is not affiliated with any covered persons or countries of concern. Within 60 days of completion, the auditor must submit a detailed, written report that must be retained for at least 10 years. 28 C.F.R. 202.1002.
  • Annual Reports: Any U.S. person or company engaged in restricted cloud-computing transactions with 25% or more ownership by a "country of concern" or covered person must file an annual report by March 1 covering transactions as of Dec. 31 of the previous year. The report must include the U.S. person's contact information, details of the transaction, copies of related documentation, and any other information required by DOJ. 28 C.F.R. 202.1103.
  • Reports on Rejected Prohibited Transactions: Any U.S. person or company who receives and affirmatively rejects—including through automated means—an offer to engage in a prohibited data brokerage transaction must file a report within 14 days of the rejection. The report should include the U.S. person's contact information, details of the rejected transaction, copies of relevant documentation, and any other information required by DOJ. 28 C.F.R. 202.1104.

Businesses should assess their data inventory, data flows, and vendor relationships to determine their DSP compliance postures. Potential penalties for violations under the DSP may be severe, including civil and criminal liability risks, and investigations pursuant to whistleblower actions.

To better understand these obligations and early enforcement trends, Greenberg Traurig is hosting an informational presentation on Oct. 15. to help organizations learn more about and prepare for the upcoming requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More