Update Applicable to:	Effective Date
All U.S. Persons subject to the Data Security Program	Effective Date: April 8, 2025   Enforcement Begins: July 8, 2025   Compliance Program Deadline: October 6, 2025

What happened?

On April 11, 2025, the U.S. Department of Justice issued final guidance for its new Data Security Program (DSP), establishing strict rules to prevent foreign access to sensitive U.S. data. Full enforcement begins July 8, 2025, following a 90-day grace period for compliance.
 
Overview:

Applies to: See DOJ FAQs Question #2, #14
 
DOJ Data Security Program (DSP): The Data Security Program (DSP) is a new federal rule from the U.S. Department of Justice (DOJ) designed to prevent foreign adversaries from accessing sensitive U.S. personal and government-related data. It applies to all U.S. individuals and organizations and is enforced by the DOJ’s National Security Division (NSD).

• Countries of Concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, Venezuela

What’s Covered: The rule applies to “covered data transactions” that give access to sensitive data through:

• Data sales or sharing (data brokerage)
• Vendor, employment, or investment agreements

It targets transactions involving foreign individuals or entities tied to countries of concern.

Sensitive Data Types: The rule applies if the organization holds:

• Genomic data on 100+ people.
• Biometric or location data on 1,000+ people/devices.
• Health or financial data on 10,000+ people.
• Personal identifiers on 100,000+ people.

Prohibited Transactions

• Selling or sharing sensitive data with covered persons or countries of concern.
• Transactions involving bulk human genomic data.
• Transactions that attempt to evade the rule.

Restricted Transactions: Vendor, employment, or investment agreements with covered people/countries are allowed only if the person:

• Follows CISA security standards.
• Implemented a written compliance program.
• Conducts annual audits.
• Maintain detailed records and reports.

Exemptions: Some transactions are exempt, including:

• U.S. government work
• Financial services
• CFIUS-reviewed investments
• Telecommunications and clinical trials

Penalties

• Whistleblower rewards available for reporting violations
• Civil: Up to $368,136 or twice the transaction value
• Criminal: Up to 20 years in prison and $1 million fine

Additional Information:

Why Comply?

• Avoid fines and legal risk.
• Improve data security and efficiency.
• Strengthen vendor and partner trust.
• Align with federal cybersecurity standards.

Consideration for Compliance:

• Know Your Data: Understand what you collect and who can access it.
• Screen Vendors and Partners: Check for ties to countries of concern.
• Create a Compliance Program: Must be written, risk-based, and certified annually.
• Keep Records: Maintain auditable records for 10 years.
• Report:
  • Rejected prohibited transactions (within 14 days)
  • Annual reports for certain cloud services

Source References

• DOJ Final Rule – Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons

Resources

• EO 14117 – Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (February 28, 2024)
• DOJ Data Security Program – Compliance Guide
• DOJ – Implementation and Enforcement Policy
• DOJ – FAQs
• DOJ – 28 C.F.R. Part 202

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.