ARTICLE
1 October 2025

DOJ's New Data Security Program: What Companies Must Do Before October 6 Deadline

BT
Barnes & Thornburg LLP

Contributor

Barnes & Thornburg LLP logo
In a changing marketplace, Barnes & Thornburg stands ready at a moment’s notice, adapting with agility and precision to achieve your goals. As one of the 100 largest law firms in the United States, our 800 legal professionals in 23 offices put their collective experience to work so you can succeed.
Explore Firm Details
The U.S. Department of Justice's (DOJ) new Data Security Program (DSP) restricts sensitive U.S. data transactions involving foreign access and "countries of concern."
United States Privacy
Scott Hulsey,Vineet Gauri, and Megha Mathur
Your Author LinkedIn Connections
Scott Hulsey’s articles from Barnes & Thornburg LLP are most popular:
  • within Privacy topic(s)
  • with Inhouse Counsel
  • in United States
  • with readers working within the Retail & Leisure industries

Highlights

  • The U.S. Department of Justice's (DOJ) new Data Security Program (DSP) restricts sensitive U.S. data transactions involving foreign access and "countries of concern."
  • Beginning October 6, 2025, companies must comply with new due diligence, audit, and reporting obligations tied to restricted transactions.
  • Violations carry serious civil and criminal penalties, making it essential to assess applicability, close compliance gaps, and document efforts now.

Earlier this year, DOJ's National Security pision (NSD) introduced the DSP, a program designed to ensure that companies and inpiduals handling sensitive U.S. data adopt "best-in-class safeguards" to protect national security interests. This initiative reflects a significant shift in the federal government's approach to cybersecurity and data protection. With additional compliance obligations beginning next week, companies should evaluate whether the DSP could impact operations and consider proactive steps.

Steps for Companies

  • Identify Applicability: Determine whether your organization falls within the scope of the DSP, which covers many activities related to data processing, foreign access, and third-party vendors.
  • Conduct a Self-Assessment: Engage legal and cybersecurity teams to evaluate current data security practices for conformity with DSP requirements.
  • Remediate Gaps and Prepare Documentation: Address any identified compliance gaps — such as employee roles, vendor oversight, access controls, data transfers, or incident response readiness — and maintain detailed records of assessments and remediation plans.
  • Consult Legal Counsel: Seek guidance for risk analysis, program development, audit preparation, advisory opinion requests, or voluntary self-disclosures.

Key Program Principles

The DSP, effective on April 8, 2025, creates export controls that prohibit or restrict U.S. persons from engaging in certain data transactions. The DSP targets entities that handle or have access to U.S. persons' sensitive data, especially where there is potential foreign access or influence.

Under the DSP, unless exempt or authorized by license, U.S. persons may not engage with a "country of concern" or a "covered person" in certain "covered data transactions" unless all DSP requirements are met.

  • Countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela.
  • Covered persons include:
    • Foreign entities headquartered in or organized under the laws of a country of concern or 50% or more owned by a country of concern;
    • Foreign inpiduals who are employees or contractors of a country of concern;
    • Foreign inpiduals who are primarily residents in a country of concern; and
    • Persons that NSD designates and publicly identifies as covered, which may include both foreign and U.S. persons.
  • Covered data transactions involve access by a country of concern or covered person to any "government-related data" or "bulk U.S. sensitive personal data" and that involves data brokerage, vendor agreements, employment agreements, or investment agreements.
  • Government-related data is certain geolocation data or sensitive personal data (regardless of volume) that can be linked to current or "recent former" federal government employees and contractors.
  • Bulk U.S. sensitive personal data means personal identifiers, precise geolocation data, biometric identifiers, personal health data, personal financial data, "human 'omic data," or any combination thereof that relates to U.S. persons that meets or exceeds bulk thresholds. This definition applies regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.
  • Prohibited transactions involve data brokerage or bulk "human 'omic" data.
  • Restricted transactions require compliance with Cybersecurity and Infrastructure Security Agency (CISA) standards and certain due diligence obligations.

Upcoming Compliance Requirements

Beginning on October 6, 2025, U.S. persons or entities engaged in restricted transactions must:

  1. Implement a data compliance program with risk-based procedures for identifying data flows and vendor identities, as well as written policies describing program implementation and DSP compliance.
  2. Conduct an annual independent audit reviewing restricted transactions, compliance processes, and relevant records, with a formal report.
  3. Submit annual reports for U.S. entities with at least 25% ownership by a country of concern engaged in restricted cloud services, or for those that decline a prohibited data brokerage transaction.

Enforcement Uncertainty: Will DOJ Actively Pursue Cases?

While this new program signals DOJ's intent to take data security seriously, NSD has historically litigated relatively few civil enforcement matters. This raises questions about how vigorously the NSD will enforce noncompliance or pursue investigations.

That said, heightened national security attention and potential collaboration with other enforcement agencies mean that organizations should take the DSP's requirements seriously. Violations of the DSP may result in civil and, in some cases, criminal penalties. A willful violation of the DSP can carry a prison term of up to 20 years. Moreover, DOJ has noted that whistleblowers located in the U.S. or abroad who report DSP violations may be eligible for financial awards through the Financial Crimes Enforcement Network (FinCEN).

NSD has also offered advisory opinions to help guide compliance for potentially regulated companies. Requests for advisory opinions must meet certain requirements for disclosure of information and be submitted under penalty of perjury. In addition, NSD has stated that it will consider voluntary self-disclosures as a mitigating factor in any enforcement action, with a full, detailed report of a violation within 180 days of self-disclosure.

Conclusion

The DSP represents a paradigm shift by DOJ into the data security landscape. With the October 6, 2025, deadline fast approaching, companies should act now to assess applicability, remediate compliance gaps, and prepare documentation to demonstrate good-faith efforts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Scott Hulsey
Scott Hulsey
Photo of Vineet Gauri
Vineet Gauri
Photo of Megha Mathur
Megha Mathur
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More