US Firms Given 90 Days to Comply with New Data Security Program

Understanding the Data Security Program and Its Impact on Businesses

Companies globally operating are given 90 days to steer clear of civil penalties under the new Data Security Program (DSP), enforced by the National Security Division of the Department of Justice. By July 8, 2025, businesses are expected to limit access to personal and government-related data by foreign adversaries. The DSP targets any business handling sensitive data, but those in financial services, life sciences, and information technology are most vulnerable. Data brokers and companies involved in cross-border transactions will also feel the DSP’s effects. The DSP, a rare agreement between the Biden and Trump Administrations, has been active since April 8, 2025, and the DOJ does not plan to delay criminal enforcement for wilful violations.Read More

DOJ’s Role in Regulating Data Transfers

The DOJ expects U.S. companies to determine if their data practices allow foreign governments and individuals to access Americans’ sensitive personal data or government-related data. To assist companies, the DOJ issued further guidance on key provisions and its expectations during the enforcement pause. Companies are given 90 days to ensure data protection, and failure to comply will lead to enforcement actions.

Who is Affected by the Data Security Program?

The DSP aligns with the Biden Administration’s proposed rule and extends beyond traditional privacy laws. It targets “U.S. persons” involved in data transactions, offering foreign adversaries access to “covered data.” This includes foreign citizens in the U.S. and U.S. entities. The DSP also targets transactions conducted between the U.S. and non-covered countries with links to a country of concern. It applies to six categories of “bulk sensitive personal data” and any U.S. government-related data, despite the data’s status. Additionally, it restricts access by “countries of concern” and “covered persons.”

The Impact on Regulated Transactions

Companies handling data covered by the DSP will face restrictions or bans on certain categories of transactions. The DSP restricts transactions involving vendor, employment, or investment agreements with a country of concern or covered person. Prohibited transactions include data brokerage transactions with a country of concern or covered person or any foreign entity unless specific contractual requirements are met. Companies that violate the DSP may face penalties under the International Emergency Economic Powers Act.

Exemptions and Exclusions from the DSP

While there are exemptions and exclusions from the DSP, they are interpreted narrowly. They include personal communications, informational materials, travel information, financial services, and corporate group transactions. Telecommunications services are also exempted if the data transactions are part of the provision of telecommunication services.

How Companies Should Prepare for DSP Regulation

The DSP imposes several requirements on companies engaged in restricted and prohibited transactions, including recordkeeping, reporting, audit, and due diligence requirements, and implementation of a formal compliance program. The DOJ provides Compliance Guidance to help companies with these requirements.

90-Days Reprieve by the DOJ

The DOJ has offered companies a 90-day reprieve from civil enforcement until July 8, 2025, to determine if the DSP’s prohibitions and restrictions apply. However, criminal enforcement and civil enforcement for companies not making good faith efforts to comply will continue.