A Short Primer to DOJ’s Data Security Program

Last January the National Security Division (NSD) of the U.S. Department of Justice issued a final rule “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (28 C.F.R. Part 202). The first national data residency regulation in the US, this rule, monikered the Data Security Program (DSP), implements sweeping regulations over the overseas dissemination of U.S. personal data. The regulation governs cross-border data transfers to China, Russia, and other “Countries of Concern” or a “Covered Person” with “access” to bulk levels of U.S. sensitive person data or to government-related data. The level of regulation depends upon whether the data transfer falls within the definition for a “restricted” or “prohibited” transaction. With civil penalties are steep, reaching $368,136 per violation under the regulation, and potential criminal prosecution, including a $1,000,000 fine and imprisonment under the International Emergency Economic Powers Act (IEEPA).

The DSP became effective on April 8, 2025. A 90-day “good faith” grace period just ended on July 8, 2025. Here are six questions every U.S. organization engaging in cross-border data transfers should ask.

Is my organization engaged in a Covered Transaction?

Under the DSP, a “covered data transaction” is any transaction that provides a “Country of Concern” or “Covered Person” access to either “Bulk U.S. Sensitive Personal Data” or “Government-Related Data” within the context of one of four broadly defined categories of information: (1) data brokerage transactions; (2) vendor agreements; (3) employment agreements; and (4) investment agreements. A data brokerage transaction involves the selling/licensing data not collected directly from the individual. A vendor agreement involves the provision of goods or services, including IT or cloud storage. An employment agreement involves the hiring or engagement of personnel who will have access to regulated data. An investment agreement involves the ownership or control rights to data or U.S. entities.

What is Bulk U.S. Sensitive Personal Data and Government-Related Data?

Bulk U.S. Sensitive Personal Data is defined as six categories of U.S. personal data that meet volume thresholds. Those categories and the corresponding bulk thresholds are Covered personal identifiers (100,000+ persons); Precise geolocation data – including real-time or historic data (1,000+ devices); Biometric identifiers (1,000+ persons); Human ‘omic data (1,000+ persons; 100+ for genomic data); Personal health data (10,000+ persons); and Personal financial data (10,000+ persons).

This definition also extends to include anonymized, pseudonymized, and encrypted data. Some of these categories are broadly defined. A covered personal identifier is personally identifiable data that could be used to identify or link individuals, when combined with other identifiers. Personal Financial data are records related to bank accounts, credit history, purchase behavior, or any financial transaction. Government-Related Data is defined as precise geolocation data, regardless of volume, tied to U.S. government sites, or sensitive data linked to current/recent federal employees, contractors, or senior officials.

Which countries are Countries of Concern and who are “Covered Persons”?

Currently, there are six identified Countries of Concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. A Country of Concern also may include any foreign government that, pursuant to the Attorney General, Secretary of State, and the Secretary of Commerce, deems qualified pursuant to stipulations set out in 28 C.F.R. § 202.209. So, this category should be checked regularly.

A Covered Person is (i) an individual employed by or primarily residing within a Country of Concern; (ii) an organization based in or majority-owned by a Country of Concern; and/or (iii) any person determined by the U.S. Attorney General to be a Covered Persons under the auspices of 28 C.F.R. § 202.211(5).

What is a Prohibited Transaction?

A Prohibited Transaction as a data brokerage transaction of Bulk U.S. Personal Sensitive Data or Government-Related Data, or a transfer of human ‘omic data or biospecimens, to or involving a Country of Concern or a Covered Person. Prohibited transactions include brokerage transactions to another country or organization within that country that does not have contractual restrictions on resale, and/or any transaction undertaken in attempt to evade the DSP.

What is a Restricted Transaction?

A Restricted Transaction as a vendor, employment, or investment agreement involving a Covered Person if the agreement satisfies specific security requirements outlined in the DSP. Those requirements include implementation of CISA Security Requirements on the data in question; a written a data compliance program; annual compliance audits; and timely reporting and recordkeeping.

What should my organization be doing now?

DSP enforcement will require affirmative evidence of compliance, especially to avoid potential steeper fines and criminal prosecution under the IEEPA. Working with IT, in-house counsel and perhaps outside support, potentially affected organizations should be mapping data flows and access credentials, as well as classifying and quantifying data it processes.

Organizations should also document necessary restricted access. Has your organization undertaken a risk assessment to identify vendors, partners, or even affiliates that might qualify as a “Covered Person”? Have appropriate contractual requirements been added to transactions involving Bulk U.S. Sensitive Personal Data or Government-Related Data? Does your organization properly classify data transactions? Depending upon the level of DSP-regulated transactions engaged in, has a written and comprehensive compliance program been implemented? Have record keeping requirements been implemented? If an organization does not know the answers to these questions, the time to learn them is now.