ARTICLE
17 July 2025

DOJ's 90-Day Data Security Compliance Grace Period Is Over: Are You Compliant?

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The U.S. Department of Justice ("DOJ") Data Security Program ("DSP") 90-day enforcement grace period ended as of July 8, 2025.
Worldwide Privacy

The U.S. Department of Justice ("DOJ") Data Security Program ("DSP") 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.

Background

As a reminder, the DOJ DSP aims to protect Americans' sensitive personal data and certain U.S. Government-related data from foreign adversaries (see our blog here for more details on the rule). Specifically, the program prohibits or restricts "covered data transactions," i.e., any transaction that involves any access by a country of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela) or covered person to any bulk U.S. sensitive personal data or government-related data (as defined in the regulations) and that involves data brokerage; a vendor agreement; an employment agreement; or an investment agreement. Common types of data that will be subject to this rule include health and biometric data; human genomic data; financial data; personal health data; government identification numbers (such as social security numbers); demographic and contact information; and network, device, and advertising identifiers.

Enforcement Timeline and Path to Compliance

While the majority of the DSP is now effective and will be enforced as of July 8, 2025, the DSP includes another deadline for companies to establish required internal policies and procedures. By October 6, 2025, companies must implement the final requirements of the DSP to create a data compliance program (if participating in restricted transactions) and comply with reporting and auditing requirements.

It is crucial that companies evaluate and strengthen their data practices in advance of the upcoming October 6, 2025 deadline. Specifically, U.S. entities subject to the DOJ DSP should evaluate the following when shoring up compliance efforts:

  • Risk-based procedures for data security
  • Vendor management and validation
  • Written data and security policies with annual certification
  • Employee training programs
  • Dedicated compliance personnel
  • Audit, record-keeping, and reporting procedures and procedures for data security compliance

Companies should not delay in implementation of compliance programs. This is especially pertinent when considering the potential enforcement penalties associated with the DSP. The DOJ may bring civil enforcement actions and criminal prosecutions for knowing or willful violations of DSP requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More