The final compliance deadline for the Department of Justice’s (DOJ) Data Security Program rule (“DSP” or the “Rule”) is approaching. This complex regulation imposes a broad set of new restrictions on the flow of certain sensitive data from the United States to China and other designated countries of concern. 

Starting October 6, companies involved in covered data transactions must fully comply with the Rule, including implementing data compliance programs and reporting “restricted transactions.” Failure to meet these new requirements—along with those already in effect since April 2025—may result in enforcement action by the DOJ.

Summary of the Data Security Program

As we explained in prior client alerts in January and April, DOJ established the Data Security Program to stem the flow of certain categories of government data and bulk sensitive data about U.S. persons to “countries of concern,” specifically China, Cuba, Iran, North Korea, Russia and Venezuela. 

The DOJ has emphasized the importance of this regulation across administrations. When the Rule was issued in December 2024, the DOJ called it a crucial step to address the “extraordinary national security threat” posed by the transfer of sensitive personal data about Americans to “hostile foreign powers, whether through outright purchase or other means of commercial access.” More recently, current DOJ leadership described the DSP as essential to preventing foreign adversaries from using data to “commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.”

The Rule took effect on April 8, 2025, and DOJ issued subsequent implementation guidance on April 11, including an Enforcement Policy, Compliance Guide and Frequently Asked Questions.

In general, the Rule prohibits certain sensitive data transactions and applies heightened security and reporting restrictions to others. Among the most notable restrictions, the Rule:

• prohibits U.S. companies from knowingly engaging in data brokerage transactions involving certain categories of sensitive U.S. personal data with countries of concern;

• bars U.S. companies from knowingly conducting other specific covered data transactions—vendor agreements, employment agreements or investment agreements involving bulk sensitive data or government-related data—with countries of concern or related entities; and
• requires U.S. companies to follow security measures—including data minimization and encryption—when conducting authorized covered data transactions under vendor, employment or investment agreements with a country of concern.  

The DSP’s scope is broad. Covered transactions include those involving government-related data and a wide range of bulk sensitive personal data such as IP addresses or public account identifiers, precise geolocation data, biometric identifiers, human `omic data (i.e., genomic, epigenomic, proteomic, and transcriptomic data), personal health information or personal financial data. 

The Rule applies volume thresholds for bulk data about U.S. persons and extends to transactions involving anonymized, aggregated, or encrypted bulk data.

It also defines “access” broadly, covering any ability to “view or receive” covered data “in any form” by the countries of concern and covered persons. As a result, companies must carefully assess how covered individuals might interact with their data and systems that house such data. Notably, the Rule determines access “without regard to the application or effect of any security requirements,” significantly limiting mitigation options.

The DSP includes specific exceptions and exemptions to the general regulations. For example, exemptions are available for certain corporate group transactions, telecommunications services, and authorizations for drugs, biological products, and medical devices (including regulatory approval data, other clinical investigation data and post-marketing surveillance data). However, determining whether an exception or exemption applies requires detailed, fact-specific analysis in each case.

DOJ Enforcement 

DOJ began full enforcement of the Data Security Program in July, following a 90-day grace period for compliance. The National Security Division (“NSD”) oversees the program, and DOJ has authority under the International Emergency Economic Powers Act (“IEEPA”) to pursue civil enforcement actions and criminal prosecutions for knowing or willful violations. Civil penalties can reach the greater of $368,136 or twice the value of the noncompliant transaction. Willful criminal violations may result in up to 20 years in prison and fines of up to $1,000,000. During the grace period, NSD indicated it would not prioritize civil enforcement, to allow companies time to comply. With the final compliance obligations now in effect, DOJ is expected to shift to a more traditional enforcement posture.

NSD has emphasized that company cooperation can lead to favorable enforcement determinations and identified some of the steps companies can take to demonstrate good faith compliance:

• conducting internal reviews of access to data, internal datasets and data types to determine whether the DSP is applicable;
• reviewing vendors and vendor agreements or renegotiating contracts;
• adjusting employee work locations, roles, or responsibilities; and
• implementing CISA Security Requirements for restricted transactions. 

NSD has made clear that companies must now be in full compliance and should expect DOJ to “pursue appropriate enforcement action with respect to any violations.” Given the bipartisan support for the program and DOJ’s core enforcement mission, organizations that fail to comply risk facing aggressive civil and criminal enforcement actions.

Compliance Obligations: What Companies Need To Know

What is the bottom line for U.S. companies? 

Know your data.  Companies must understand not only what data they collect, but also how it moves through their systems, who can access it and whether any access involves a “country of concern” or a covered person pursuant to an employment, vendor or investment agreement. This may include: 

• mapping data flows to identify direct or indirect data transmission; 
• classifying data types and assessing volumes based on DSP categories;
• reviewing security controls; and
• evaluating counterparties and entities with access to data—including through vendor, employment or investment agreements—to determine whether they qualify as countries of concern or covered persons under the Rule.

Ensure strong compliance.  On October 6, the Rule’s final compliance obligations take full effect. Companies engaged in restricted transactions must:

• Implement a data compliance program, including:
  • risk-based procedures to verify data flows;
  • risk-based procedures to verify vendor identities, if applicable;
  • a written policy describing the data compliance program, certified annually; and
  • a written policy describing implementation of CISA security requirements, certified annually.

• Conduct independent audits for any restricted transactions.
• Maintain records for 10 years, with specific requirements for records related to restricted transactions.
• Submit annual reports for certain categories of restricted transactions.
• Submit rejected prohibited transaction reports within 14 days. 

To reduce enforcement risks, companies should implement strong compliance programs that can detect and promptly disclose potential violations; document employee responsibilities under the policy; engage an auditor for restricted transaction reporting; and enhance due diligence reviews.

If concerns arise about a specific transaction, companies should conduct a thorough internal review to assess whether the transaction implicates DSP rules and whether a violation has occurred. Consistent with DOJ’s approach to voluntary disclosures, companies that promptly and fully disclose potential wrongdoing typically receive significant protections. 

Conclusion

With the October 6 deadline approaching, companies handling bulk sensitive data about U.S. persons or U.S. government-related data cannot delay in assessing their exposure under DOJ’s Data Security Program and implementing necessary compliance measures. Proactive compliance is essential given the Rule’s broad scope, complex exemption criteria and steep penalties—especially in light of DOJ’s enforcement posture. 

WilmerHale is prepared to help clients navigate these new and complex requirements. Our interdisciplinary teams—including former government officials and industry experts—offer deep experience with the Data Security Rule and other national security regulations. We provide guidance on compliance obligations, risk mitigation and potential investigations in this rapidly evolving regulatory landscape.