Understanding the DOJ’s New Data Security Program: A Comprehensive Overview

On October 6, 2025, the U.S. Department of Justice (DOJ) launched its new Data Security Program (DSP), responding to increasing threats from foreign actors targeting sensitive information and national security-related data. This comprehensive program introduces significant restrictions on how companies handle and share sensitive U.S. personal data, particularly when foreign entities might be involved. With implementation in full swing, it’s imperative for businesses to understand the program’s scope, compliance requirements, and potential consequences for noncompliance.

Who Must Comply?

The DSP casts a wide net, covering U.S. companies, citizens, and organizations involved in the collection, storage, or transfer of sensitive personal or government-related data. Importantly, these regulations also extend to entities dealing with U.S. data or engaging in transactions that could expose this data to foreign governments or persons.

The definitions of sensitive data under the DSP are broad and encompass bulk data that is anonymized, pseudonymized, de-identified, or encrypted. This comprehensive approach means that many transactions, which may not traditionally be associated with data privacy issues, could fall under the DSP umbrella. For instance, a U.S. company operating a website could trigger these regulations if it knowingly implements tracking technologies that facilitate the transfer of data to foreign third parties.

Which Foreign Countries and Persons Are Covered?

The DSP specifically addresses transactions involving designated "countries of concern," which currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. Furthermore, the DOJ reserves the right to identify “covered persons” as any foreign entity, owner, or individual controlled by these nations. This adaptive aspect of the rule enables the DOJ to expand coverage in response to evolving national security needs.

What Transactions Are Prohibited vs. Restricted?

The DSP outlines two main categories of data-related transactions:

• Prohibited Transactions: Transfers of sensitive personal data or government-related data to entities in countries of concern through data brokerage agreements are generally forbidden, unless specific exceptions apply.

• Restricted Transactions: Other transactions involving vendor, employment, or investment agreements are permitted but only under stringent conditions. Companies must comply with specific security measures, contractual safeguards, and maintain detailed records.

What Obligations Companies Now Have for Restricted Transactions?

Businesses that engage in restricted transactions face several compliance obligations:

• Due Diligence Requirements: Companies are required to establish a robust data compliance program. This includes developing risk-based procedures to document the flow, parties, and intended use of sensitive data, alongside annual certified policies that outline compliance measures and vendor verification processes.

• Audit Requirements: An annual, independent audit is necessary to ensure that compliance measures are effective. The audit should cover data practices and security measures, and its findings must be documented for a minimum of ten years.

• Records and Recordkeeping Requirements: Complete records of all restricted transactions must be maintained for at least ten years. This encompasses compliance policies, audit results, due diligence documentation, and any relevant licenses or agreements. A company officer must certify the accuracy and completeness of these records each year.

• Reporting Requirements: The DOJ has the authority to request documentation at any time. Companies involved in restricted cloud-based transactions must submit annual reports summarizing their activities. If a company declines a prohibited transaction, it has a 14-day window to report this to the DOJ.

• Security Requirements: Companies must adhere to cybersecurity standards established by the Cybersecurity and Infrastructure Security Agency (CISA) designed to safeguard sensitive and government-related data.

Whistleblower Program

To bolster enforcement, the Financial Crimes Enforcement Network has set up a whistleblower program. This initiative incentivizes individuals who report violations of the DSP, offering rewards if their information leads to successful enforcement action resulting in monetary penalties exceeding $1 million. This addition serves as a powerful encouragement for accountability within organizations and maximizes transparency.

In light of these sweeping measures, organizations must proactively review their data management practices, contractual agreements, and vendor interactions to ensure compliance with the DSP. Engaging legal and cybersecurity experts can help businesses navigate this complex framework and assist in designing effective compliance programs tailored to meet the new standards set forth by the DOJ. For further support and insights, consulting with specialized teams such as McCarter & English’s Cybersecurity & Data Privacy group may be invaluable.