4 November 2025

DOJ Data Security Program compliance: Key considerations for organizations

Written by:Nicholas Klein Michael Walsh Andrew Serwin Nadia Asancheyev Hayley Curry

All aspects of the United States Department of Justice (DOJ)’s final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,”[1] are now in force.

Also known as the Bulk Data Rule or the Data Security Program (DSP), the rule prohibits the sale of covered datasets (and access to data) to China, other countries of concern,[2] and covered persons. It restricts US organizations’ transmission of covered datasets to employees, vendors, and investors in China and other countries of concern, and requires robust cybersecurity standards to be in place to conduct such restricted transactions.

The rule stems from the US government’s concern that US adversaries have obtained US person data through legal commercial transactions before exploiting the data to target US persons (including US military and US government officials) for espionage, cyberattacks, and blackmail, among others. See our previous article on the DSP here.

Going forward, organizations are encouraged to confirm whether they are covered by the rule and assess potential obligations.

Key details of the DSP

In April 2025, DOJ provided guidance on compliance with the DSP in its Compliance Guide, Frequently Asked Questions, and Implementation and Enforcement Policy. In its Implementation and Enforcement Policy, DOJ announced that it would not prioritize civil enforcement actions against any person for violations of the DSP that occur through July 8, 2025, so long as the person is engaging in good-faith efforts to comply with, or come into compliance with, the DSP during that time.

This policy was intended to allow organizations to focus on promptly establishing and implementing compliance measures. DOJ provided the following as examples of evidence of good-faith efforts to establish compliance with the DSP:

Conducting internal reviews of access to sensitive personal data, including whether transactions involving access to such data flows constitute data brokerage
Reviewing internal datasets and datatypes to determine whether they are potentially subject to DSP
Renegotiating vendor agreements or negotiating contracts with new vendors
Transferring products and services to new vendors
Conducting due diligence on potential new vendors
Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions
Adjusting employee work locations, roles, or responsibilities
Evaluating investments from countries of concern or covered persons
Renegotiating investment agreements with countries of concern or covered persons
Implementing the Cybersecurity and Infrastructure Agency (CISA) Security Requirements,[3] including the combination of data-level requirements necessary to preclude covered person access to regulated data for restricted transactions

Because the grace period has concluded, organizations that collect and maintain covered data should understand their obligations under the DSP and ensure compliance as soon as possible.

Common reasons to review obligations under the DSP

Organizations are encouraged to review their obligations under the DSP if their work involves any of the following.[4]

Data brokerage of any sort, including licensing access to datasets, to any foreign person or entity
Transactions involving human ‘omic data
Employees in China and other countries of concern (i.e., Russia, Venezuela, Cuba, and North Korea) who have access to datasets (including those in a subsidiary, affiliate, or foreign branch)
Vendors in China and other countries of concern, or who are 50-percent or more owned by an entity of a country of concern, who have access to datasets
Investors in China and other countries of concern who are investing in US organizations or funds
Cloud computing organizations with 25 percent of their equity owned by persons or organizations from or with significant ties to China or other countries of concern
Operation of a website or app that collects information or targeted advertising via websites or apps
Organizations that collect and maintain datasets covered by the DSP (see below)

Covered datasets

If your company has data that meets the following thresholds, further analysis can determine whether your company’s transactions are in scope of the DSP.

Type of data	Quality thresholds
Human ‘omic data (e.g., genomic data)	More than 100 US persons (human genomic data) More than 1,000 US persons (all other human ‘omic data)
Biometric identifiers (including facial photos)	More than 1,000 US persons
Precise geolocation data (within 1,000 meters’ precision)	More than 1,000 US devices
Personal health data	More than 10,000 US persons
Personal financial data	More than 10,000 US persons
Covered personal identifiers (e.g., two or more of the following: government identification or account numbers, financial account numbers or PINs, device-based or hardware-based identifiers, demographic or contact data, advertising identifiers, account-authentication data, network-based identifier, call-detail data)	More than 100,000 US persons
Government-related geolocation data, government-related personal data (i.e., data on current and former US government personnel), or any data marketed as such	Any quantity

Immediate considerations for organizations

Organizations can consider taking the following immediate steps to comply with the DSP.

1. Conduct inventory data and data flows to assess whether the DSP applies:

Examine what information the company collects and whether it falls into any of the data types above
Evaluate the amount of data and whether it meets bulk thresholds
Identify entities or individuals to which the company sells or with whom the company shares that information
Determine the entities or individuals involved in data collection and processing or who have potential access to the data (e.g., employees, the Board of Directors, investors, vendors, affiliates, partners, and other commercial counterparties)

2. Determine data recipients: Understand citizenship and location of those receiving datasets or those who could access them to determine whether any are a “covered person” or “foreign person.”

3. Evaluate transactions: Determine what transactions might be covered (particularly any data brokerages). Review all vendor, employee, and investor access to data to determine whether transactions are prohibited, restricted, or not covered by the DSP.

4. Examine corporate structure: Examine the company’s corporate structure vis-à-vis countries of concern, including whether entities in such countries are subsidiaries, affiliates, or branches of the company’s US entity.

5. Identify exemptions: Evaluate potential exemptions (e.g., corporate group transactions, in some cases, and financial data in connection with the sale of goods or services/incidental to e-commerce).

For prohibited transactions:

Review contracts to terminate prohibited transactions to covered persons.
Insert DSP-required language into contracts for permitted data brokerage transactions with non-covered persons.

For restricted transactions:

Develop the required compliance program by establishing sufficient recordkeeping, audit, and annual reporting.
Assess changes required to meet the CISA cybersecurity standards: Review organizational, system, and data-level security measures to ensure data minimization, encryption, masking, and privacy-enhancing technologies are used as required. Note: Encrypted data is not exempt from the DSP.

Whistleblower incentives for violations

The most recent FAQ from DOJ indicates that the DSP violations are eligible for the Financial Crimes Enforcement Network (FinCEN) whistleblower program, which can entitle whistleblowers to financial incentives for reporting violations that lead to a successful government action where the penalties are greater than $1 million.

Requirements for restricted transactions

1. Set up record keeping for DSP policy documents and data transfer documentation.

2. Perform annual audits to assess DSP compliance, in line with the DSP requirements.

3. Prepare for annual reporting by ensuring records are being proactively generated for annual report submissions for entities engaged in restricted transactions involving cloud-computing services in which 25 percent or more of the entity’s equity is owned, directly or indirectly, by a covered person.

4. Monitor transactions and report any DSP violations to DOJ within 14 days.

For more information

For assistance in understanding your company’s obligations under the DSP and setting up or reviewing a compliance program, please contact the authors.

^[1]^{28 CFR 202, implementing Executive Order 14117.}

^{[2] “Countries of concern” include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. 28 CFR 202.601.}

^{[3] Federal Register: Notice of Availability of Security Requirements for Restricted Transactions Under Executive Order 14117.}

^{[4] Not an exhaustive list.}