The U.S. Department of Justice (DOJ) has unveiled a new Data Security Program (DSP) aimed at enhancing the protection of sensitive data against foreign access. Effective from October 6, 2025, organizations must adhere to strict due diligence, audit, and reporting obligations concerning data transactions involving countries designated as “countries of concern.” Noncompliance could result in severe civil and criminal penalties, making immediate assessment and documentation critical.
Earlier this year, the DOJ’s National Security Division (NSD) introduced the DSP as part of a broader strategy to fortify national security interests. This initiative marks a significant shift in the federal government’s approach to cybersecurity, emphasizing the need for “best-in-class safeguards” for entities managing sensitive U.S. data.
Implications for Companies
To ensure compliance with the DSP, companies should take several proactive steps. First, they need to determine if they fall under the DSP’s scope, which encompasses a wide range of activities related to data processing and foreign access. This includes transactions involving third-party vendors.
Conducting a self-assessment is essential. Organizations should engage their legal and cybersecurity teams to evaluate existing data security practices against DSP requirements. Any identified compliance gaps must be addressed, including aspects such as employee roles, vendor oversight, access controls, and incident response readiness. It is also advisable for companies to maintain detailed records of their assessments and remediation plans.
Legal counsel should be consulted for guidance on risk analysis, program development, and audit preparations. Companies might consider requesting advisory opinions from the NSD to further clarify compliance expectations.
Understanding Key Program Principles
The DSP, which comes into effect on April 8, 2025, imposes export controls that restrict U.S. persons from participating in specific data transactions. It targets organizations that manage or have access to sensitive data belonging to U.S. persons, particularly where there is a risk of foreign involvement.
Under the DSP, transactions involving countries of concern—namely, China, Cuba, Iran, North Korea, Russia, and Venezuela—are strictly regulated. U.S. persons may not engage in “covered data transactions” with these countries unless they meet all relevant DSP stipulations. Covered persons include foreign entities operating in these countries and individuals who are residents or employees of such entities.
Covered data transactions involve access to government-related data or bulk U.S. sensitive personal data, which includes identifiers such as geolocation data, biometric information, and personal health or financial data. Notably, this definition applies regardless of whether the data has been anonymized or encrypted.
Prohibited transactions include those related to data brokerage or bulk “human ‘omic” data. Organizations must comply with standards set by the Cybersecurity and Infrastructure Security Agency (CISA) for restricted transactions and adhere to specific due diligence obligations.
Compliance and Enforcement
With the October 6, 2025, deadline approaching, companies must prepare for the new compliance landscape. While the DOJ has indicated a commitment to enforcing data security regulations, the NSD historically has pursued relatively few civil enforcement actions. This raises questions about the level of enforcement that may follow the DSP’s implementation.
Violations of the DSP could lead to significant civil penalties and, in severe cases, criminal charges. A willful breach could result in a prison sentence of up to 20 years. Furthermore, the DOJ has highlighted that whistleblowers who report violations may be eligible for financial rewards through the Financial Crimes Enforcement Network (FinCEN).
The NSD is also open to providing advisory opinions to assist companies in understanding their compliance obligations. Requests for such opinions must include specific disclosures and be submitted under penalty of perjury. Notably, voluntary self-disclosures of violations may be viewed favorably and considered a mitigating factor during enforcement actions.
The DSP represents a substantial shift in the approach to data security in the United States. As the deadline approaches, organizations must act swiftly to evaluate their compliance status, remediate any gaps, and document their efforts to align with the new regulations.
