DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities

Go-To Guide
  • The Department of Justice’s new Data Security Program (DSP), effective April 8, 2025, imposes significant restrictions on U.S. government contractors and global companies that handle sensitive U.S. personal or government-related data.
     
  • U.S. persons and organizations that transfer, share, or provide access to such data must assess whether their transactions involve designated countries of concern and covered persons.
     
  • The DSP requires new due diligence, recordkeeping, reporting, and annual auditing obligations, with full enforcement beginning July 8, 2025. Non-compliance can result in severe civil and criminal penalties.

On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, Implementation and Enforcement Policy, and FAQs for its Data Security Program (DSP), finalized pursuant to Executive Order 14117 and the 28 C.F.R. Part 202. The DSP is primarily designed to prevent certain cross-border data flows and transactions. Individuals and companies subject to the DSP are required to comply with new security requirements, reporting and recordkeeping duties, and due diligence rules.

The recently issued guidance makes evident NSD’s intent to make the DSP an enforcement priority for this administration. Access to Americans’ bulk sensitive or personal data or U.S. government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. The DSP is currently subject to a 90-day initial enforcement period, which is a limited enforcement window to give individuals and companies additional time to bring their transactions and processes into compliance with the DSP. After July 8, 2025, NSD will implement full enforcement of the DSP.
 

Click here to continue reading the full GT Alert.

Leave a Reply

Your email address will not be published. Required fields are marked *