DOJ’s New Data Security Program Explained

Written by Guy Milhalter and Austin Ochoa

In an increasingly interconnected world, the flow of data across borders has become a critical aspect of the global economy. However, this also presents risks, particularly when sensitive personal data falls into the hands of foreign adversaries. To address these concerns, the U.S. Department of Justice (DOJ) launched the Data Security Program (DSP), a regulatory framework aimed at protecting Americans’ data from exploitation by countries of concern. The DSP is now in full effect, with enforcement underway following the end of the DOJ’s 90-day grace period, making compliance a present—not future—priority for any U.S. business that transfers sensitive personal or government-related data with certain foreign parties.

The new rules affect U.S. businesses that handle sensitive personal or government-related data, particularly in sectors like technology, health care, finance, and defense. For example, a hospital sharing genomic data with a foreign research partner, a fintech company outsourcing identity verification using biometric logins, or a defense contractor employing engineers abroad could all trigger review under the program. Determining whether a transaction is prohibited or restricted often requires a close review of data flows, vendor agreements, and corporate ownership structures. Early legal review can help companies understand where they fall under the program and put the right compliance measures in place before issues arise.

The Origin: Executive Order 14117

The DSP stems from Executive Order (E.O.) 14117, issued in 2024, which established a new federal regulatory framework to restrict the transfer of sensitive U.S. data to foreign adversaries. The order declared that the unrestricted sale and transfer of bulk U.S. sensitive personal data to certain foreign countries poses an “unusual and extraordinary threat” to national security, and directed the DOJ to implement binding regulations.

Key Components of the Data Security Program

That framework is now codified in Title 28 CFR Part 202, which functions like an export-control system for data. It creates enforceable rules on the sale, transfer, and access of Americans’ personal data and government-related data, and applies to all U.S. persons. In practice, it restricts how U.S. persons may transact with countries of concern or covered persons.

Key Terms to Know

• Countries of Concern: The DOJ has designated specific nations as “countries of concern,” meaning foreign governments that, as determined by the Attorney General with the concurrence of the Secretaries of State and Commerce, (i) have engaged in a long-term pattern or serious instances of conduct significantly adverse to U.S. national security or the security and safety of U.S. persons, and (ii) pose a significant risk of exploiting government-related data or bulk U.S. sensitive personal data to the detriment of U.S. national security or safety. These countries currently include China, Russia, Iran, North Korea, Cuba, and Venezuela.
• Covered Persons: A covered person is an individual or entity that falls into one of the classes described in the DSP (without any designation), or that the DOJ designates as a covered person. The four classes of persons that are covered persons whether or not designated are: (1) foreign entities headquartered in or organized under the laws of a country of concern, or 50% or more owned, individually or in the aggregate, by one or more countries of concern or other covered persons; (2) foreign entities 50% or more owned, individually or in the aggregate, by a country of concern or another covered person; (3) foreign individuals that are employees or contractors of a country of concern or covered person; and (4) foreign individuals who are primarily resident in a country of concern. The fifth category of covered persons is those persons the DOJ designates and publicly identifies, pursuant to 28 CFR 202.211(a)(5). The final rule includes examples of types of covered persons.
• Covered Data Transactions: A covered data transaction is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves: (1) data brokerage; (2) a vendor agreement; (3) an employment agreement; or (4) an investment agreement. The final rule includes a number of examples for each type of covered data transaction.
• Types of Data Protected: The DSP protects U.S. Government-related data and bulk U.S. sensitive personal data.
  • U.S. Government-Related Data:
    • Precise geolocation data for any location listed on the Government-Related Location Data List, regardless of volume. Examples include military installations and other sensitive facilities identified in 28 CFR 202.222(a)(1).
    • Sensitive personal data, regardless of volume, that is marketed as linked or linkable to:
      • Current or recent former employees or contractors of the U.S. Government (within the past two years); or
      • Former senior officials of the U.S. Government, including military and intelligence community personnel.
  • Bulk U.S. Sensitive Personal Data: A collection of sensitive personal data relating to U.S. persons that meets or exceeds the applicable bulk threshold identified in 28 CFR 202.205. The term “sensitive personal data” includes covered personal identifiers (e.g., name, SSN, email, phone number), precise geolocation data, biometric identifiers (e.g., fingerprints, facial recognition data), human ‘omic data (e.g., genomic, proteomic, or metabolomic data); personal health data, personal financial data, or any combination of the above.
  • Even anonymized, pseudonymized, de-identified, or encrypted data may still be covered, where such data meets or exceeds the applicable bulk thresholds set forth in § 202.205.

Prohibited and Restricted Transactions

The DSP distinguishes between prohibited and restricted transactions, each subject to specific requirements:

• Prohibited Transactions: The DSP prohibits certain covered data transactions, including:
  • Data-brokerage transactions involving bulk U.S. sensitive personal data or government-related data with countries of concern or covered persons.
  • Data-brokerage transactions with other foreign persons unless there is a contractual prohibition on resale to countries of concern or covered persons and a process for reporting violations.
  • Transactions that give countries of concern or covered persons access to bulk human ‘omic data or related biospecimens.
  • Transactions structured to evade, cause, or conspire to violate these rules.
  • Knowingly directing a prohibited or restricted transaction that fails to meet DSP requirements.

• Restricted Transactions: Restricted transactions are covered data transactions involving vendor, employment, or investment agreements with countries of concern or covered persons. These may proceed only if the U.S. person complies with all DSP requirements. This includes meeting the Cybersecurity and Infrastructure Agency (CISA) security requirements, implementing a Data Compliance Program, conducting required audits, and maintaining proper records. Transactions that involve such agreements and give countries of concern or covered persons access to bulk human ’omic data or biospecimens from which such data can be derived are always prohibited, not restricted.

Compliance Requirements for Restricted Transactions

U.S. persons engaging in restricted transactions must implement a Data Compliance Program that satisfies the DSP’s standards. At a high level, this includes:

• Security Requirements: Implement the CISA-defined security controls for restricted transactions.
• Risk-Based Procedures: Verify the type and volume of data, identify all transacting parties, and confirm the transfer method and end-use of data.
• Vendor Management: Screen and monitor vendors to ensure they are not covered persons.
• Written Policies: Maintain and annually certify a written Data Compliance Program policy and a Security Requirements policy. U.S. persons engaging in any restricted transactions must develop and implement a Data Compliance Program by October 6, 2025.
• Audits: Conduct annual, independent audits to confirm compliance.
• Recordkeeping and Reporting: Keep complete records for at least 10 years and fulfill all required reporting obligations.

Exemptions and Licensing

While the DSP imposes significant restrictions, it also provides for certain exemptions and licensing mechanisms:

• Exempt Transactions: Examples of activities exempt from the DSP’s prohibitions include: personal communications; the exchange of informational materials such as research publications; activities ordinarily incident to travel; official U.S. government business; data transactions incident to the provision of financial services; certain intra-company transactions within a corporate group; transactions required by law or treaty; and specific data transfers related to telecommunications, regulatory approvals for drugs or medical devices, and FDA-regulated clinical investigations. While these exemptions can remove otherwise applicable restrictions, they are narrowly defined, and organizations should confirm eligibility before relying on them.
• General Licenses: The DOJ may issue general licenses authorizing certain categories of covered data transactions for a defined class of persons, without the need for individual applications. These licenses typically outline the specific scope, conditions, and duration under which the authorized transactions may occur. The DOJ will publish any general licenses on its website and to the Federal Register.
• Specific Licenses: Individuals or entities may apply for specific licenses to engage in particular covered data transactions that would otherwise be prohibited. The DOJ will review such applications under a “presumption of denial” standard, meaning approval will only be granted if the applicant can provide compelling evidence and justification demonstrating that the transaction does not pose the national security risks the prohibition is intended to address.

Enforcement and Penalties

The DOJ has the authority to enforce the DSP through civil and criminal penalties. Violations can result in substantial fines and, in some cases, imprisonment. The DOJ’s 90-day enforcement grace period ended on July 8, 2025. While the program became effective April 8, 2025, DOJ deferred most enforcement actions during the grace period for U.S. persons making good-faith efforts toward compliance. With the grace period now over, DOJ expects U.S. persons to be in full compliance and will prioritize enforcement—pursuing penalties for violations, particularly those that are egregious or willful.

Seeking Guidance and Clarification

The DSP can be complex, and the DOJ encourages individuals and entities to seek guidance and clarification. The DOJ provides several avenues for obtaining information, including:

• Compliance Guide: A comprehensive guide to assist individuals and entities in understanding and complying with the DSP.
• Frequently Asked Questions (FAQs): A regularly updated list of FAQs addressing common questions about the DSP.
• Advisory Opinions: U.S. persons can request advisory opinions from the DOJ regarding the application of the DSP to specific transactions.

With enforcement now underway, U.S. companies should be operating with full DSP compliance and closely monitoring ongoing DOJ guidance. The program’s requirements are broad and will continue to evolve, making it critical for businesses engaged in covered data transactions—particularly those involving foreign countries of concern—to maintain strong compliance processes and adapt quickly to new obligations.

Recommended Actions: Companies should begin by mapping potentially covered data and evaluating whether their vendors, customers, employees, or affiliates create pathways for access by covered persons. Where restricted transactions cannot be avoided, firms must implement the DOJ’s required security measures and build out risk-based compliance programs—including policies, audits, and reporting—well before the October 6, 2025 deadline. SEC registrants should also review disclosure obligations, ensuring their risk factor and cybersecurity governance reporting aligns with DSP expectations.