The DOJ Just Made Your Customer Data a National Security Issue—Here’s What That Means - TalkLPnews Skip to content

The DOJ Just Made Your Customer Data a National Security Issue—Here’s What That Means

  • Reading time 12 minutes

As of May 9, 2025, the U.S. Department of Justice’s (DOJ) Data Security Program (DSP) is in effect, with a 90-day enforcement grace period ending on July 8, 2025. During this period, the DOJ will not prioritize civil enforcement actions against entities making good-faith efforts to comply with the DSP’s requirements. However, full compliance is expected by the end of this window .Privacy Compliance BlogWilmerHale

The DSP, established under Executive Order 14117, aims to prevent foreign adversaries from accessing U.S. government-related data and bulk sensitive personal data, including genomic, biometric, geolocation, health, financial, and other personal information. The program imposes restrictions on certain data transactions involving countries of concern, such as China, Russia, Iran, North Korea, Cuba, and Venezuela .Proskauer+5Department of Justice+5Department of Justice+5Reuters

To assist entities in achieving compliance, the DOJ has released several resources, including a Compliance Guide, a set of Frequently Asked Questions (FAQs), and an Implementation and Enforcement Policy. These documents provide guidance on key definitions, prohibited and restricted transactions, and requirements for building a robust data compliance program .Cleary Gottlieb+2Department of Justice+2Crowell & Moring – Home+2

Entities are encouraged to utilize this grace period to assess their data handling practices, implement necessary changes, and ensure adherence to the DSP’s provisions to avoid potential enforcement actions post-July 8, 2025.

The Details…

The DOJ has implemented sweeping new data security requirements affecting organizations well beyond traditional defense contractors. Alvarez & Marsal consultants Randy Cook, Vince Mekles and Rachel Woloszynski examine the DOJ’s data security program, which imposes strict controls on transactions involving sensitive personal data with “countries of concern” including China and Russia. 

The DOJ’s data security program, formally the final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” went into effect April 8.

Companies that collect data of a type and volume covered by the data security program, or DSP, are subject to a level of data security expectation historically reserved for sensitive transactions or companies within the traditional US defense industrial base. 

The breadth of covered data, the potential complexity of demonstrating compliance if subjected to DOJ inquiry and enforcement penalties up to and including criminal liability should compel the market to take notice and respond to this new data security regime. (Subject to the Federal Civil Penalties Inflation Act, civil penalties can be up to $368,136 or twice the amount of the transaction involved, whichever amount is greater. The DSP establishes the processes for the DOJ to issue findings of violations and civil penalties, including an opportunity for parties to respond before the department issues a penalty. Willful violations can lead to criminal fines up to $1 million and up to 20 years’ imprisonment.)

Today, we explore an operational roadmap for how to assess whether the DSP applies to your company and what you should be doing if it does.

What is the government driving at?

Companies that understand why the US government is taking action are more likely to implement a compliance approach responsive to the US government’s equities and thereby mitigate risk.

Put simply, the confluence of new technologies — particularly large language models and AI technologies — that allow for rapid ingestion, processing and inferencing of large data sets presents an emergent and significant threat to US national security. The threat can manifest in various ways, including facilitating espionage, blackmail and civil unrest through targeted misinformation and disinformation campaigns.

The emergent threat also must be understood in the context of a shifting geopolitical landscape, now marked by major-power competition. In this new world where national security is economic security, policymakers’ thinking as to the balance between economic and national security interests has shifted. National security interests are increasing in prominence and coming to the fore.

What does the DSP do?

Staying at a high level, there are two animating factors of the DSP: (1) control of bulk sensitive data or government-related data and (2) covered transactions with countries of concern or covered persons. The DSP identifies several sensitive data categories, including human genomic and other ’omic, biometric, geolocation, and health, financial and personal identifying information. The DSP is triggered when the volume of sensitive data exceeds designated thresholds, spelled out in the chart below:

Sensitive data categories, volume thresholds in number of US persons (except where noted) & examples
CategoryThresholdExplanation & examples
Human genomic data>100Personal data that involves human ‘omic data or human biospecimens from which such data could be derived (e.g., DNA results from genetic testing)
Human epigenomic, proteomic & transcriptomic data>1,000
Biometric identifiers>1,000Measurable physical or behavioral characteristics used to identify recognition (facial, fingerprint, retinal scan, voice print)
Precise geolocation data>1000 US devicesIdentifies an individual/physical location within 1,000 meters when data implicates over 1,000 devices (e.g., GPS coordinates)
Personal health data>10,000Physical or mental health information, healthcare services data or associated payments (e.g., height, weight, vital signs, symptoms)
Personal financial data>10,000Financial-related information (e.g., financial accounts, credit or debit cards, credit history, financial liabilities)
Certain covered personal identifiers>10,000PII-type data that, individually or in combination, can identify specific individuals (e.g, Social Security numbers, driver’s license or other government ID numbers)

The DSP prohibits certain data brokerage and covered data transactions involving access to bulk ’omic data or human biospecimens from which bulk ‘omic data can be derived. It also restricts vendor agreements, employment agreements and nonpassive investment agreements that would allow access to bulk sensitive data or government-related data. However, these restricted transactions may proceed if security requirements are satisfied.

The DSP specifies the countries of concern — China (including Hong Kong SAR and Macau SAR), Cuba, Iran, North Korea, Russia and Venezuela — and describes the covered persons with whom transacting could implicate the DSP if bulk sensitive data is involved.

The DSP also references specific guidance provided by the US Cybersecurity and Infrastructure Agency (CISA) related to the protection of bulk sensitive data.

phone biometric unlock

How does the DSP apply to your company?

There are two critical steps to comprehensively assessing whether the DSP applies to your company: (1) know your data and (2) know with whom you are transacting (i.e., your vendors, your employees and your customers). 

Successful compliance programs will be able to demonstrate consistency, accuracy and auditability with respect to their approach to compliance with the DSP:

  • Consistency: Define in policy and employ a reasonable process to determine which use case applies to the company and periodically revalidate that the factors that informed the company’s initial assessment have not materially changed over time.
  • Accuracy: Depending on which use case applies, develop and implement policy, process and technical controls that are sufficient to demonstrate compliance with the DSP.
  • Auditability: Proving compliance with the DSP can be achieved by quickly marshaling documentation or information sufficient to demonstrate that the company’s compliance controls are effective.

At bottom, “reasonableness” likely will be the regulatory touchstone for determining the sufficiency of a company’s compliance approach. What is reasonable under the circumstances is a somewhat amorphous standard, however, and the criminal and civil penalties that can apply to any enforcement action under the DSP likely counsel companies to be conservative and protective.

What should be considered when building a responsive compliance program?

With the DSP in effect, companies that have not already done so must begin thinking about how to develop and document a tailored covered data compliance program to mitigate operational and IT governance risk, including undertaking necessary due diligence, performing risk assessments and implementing interim mitigation strategies and longer-term controls regimes.

Companies also need to consider the IT governance angle based on the incorporation of CISA guidance, including accounting for the following considerations:

Technical controls

  • Implement end-to-end encryption for bulk sensitive data at rest and in transit.
  • Deploy role-based access controls with multi-factor authentication and least privilege principles.
  • Establish geographic access restrictions to prevent data access from countries of concern.
  • Implement network segmentation, DLP tools and API-level controls to prevent unauthorized extraction.

Administrative controls

  • Maintain comprehensive data inventory identifying all regulated data repositories.
  • Establish documented approval workflows for any access by covered persons.
  • Create immutable audit logs tracking all access attempts and data movements.
  • Conduct regular security assessments and third-party validation of controls.

Documentation requirements

  • Security control inventory and implementation specifications.
  • Regular risk assessment and compliance-validation reports.
  • Access control policies and monitoring implementation details.
  • Evidence of staff training on rule requirements.

How might the dsp impact multinational organizations and cross-border transactions?

With respect to multinational organizations and cross-border transactions, it should be expected that the DSP will create additional hurdles. Possible examples could include:

  • Compliance programming: Companies likely will need to implement compliance frameworks and controls to guard against improper handling of bulk sensitive data across multinational organizations.
  • IT infrastructure: Understanding system mapping and access controls to BSD will be necessary to identify where data could migrate across borders.
  • Third-party relationships: Rigorous due diligence standards for foreign vendors, suppliers and other partners will be expected to ensure adherence to BSD requirements.
  • Legal considerations: Heightened data governance and privacy standards, along with existing regulatory regimes, may require more investment in policy and legal support.

Multinational organizations and companies that engage in cross-border transactions should be preparing for these additional impacts and tailor their due diligence, risk assessment and mitigation efforts to reflect these additional considerations as deemed necessary.

What happens now that the DSP is effective?

On April 11, the DOJ issued a press releasecompliance guide, list of FAQs and a policy on implementation and enforcement, which all provide further information and guidance on the DSP. Here, we identify three items clarified through DOJ’s additional guidance that pertain to how companies operationalize a security and compliance regime responsive to the DSP.

Nonenforcement period provided good faith implementation efforts

DOJ has indicated that it will not focus on civil enforcement during the first 90 days that the DSP is in effect (i.e., until July 8), provided that a company can demonstrate “good faith efforts” to comply with the DSP during the initial 90-day window.

DOJ-provided examples of good faith efforts are summarized below:

  • Conducting internal reviews of access to sensitive personal data.
  • Reviewing internal datasets and datatypes to determine if they are subject to the DSP
  • Renegotiating vendor agreements and negotiating contracts with new vendors.
  • Transferring products and services to new vendors.
  • Conducting due diligence on potential new vendors.
  • Negotiating contractual onward transfer provisions with foreign persons who are the counterparties to data brokerage transactions.
  • Adjusting employee work locations, roles or responsibilities.
  • Evaluating investments from countries of concern or covered persons.
  • Renegotiating investment agreements with countries of concern or covered persons.
  • Implementing the CISA requirements. 

To emphasize the criticality of good faith efforts to the application of the 90-day nonenforcement period, the policy specifies that: “During this 90-day period, [DOJ] will pursue penalties and other enforcement actions as appropriate for egregious, willful violations. This policy does not limit [DOJ’s] authority and discretion to pursue civil enforcement if such persons did not engage in good-faith efforts to comply with, or come into compliance with, the DSP. (Emphasis added.)

After the 90-day period, the DOJ has made clear that it expects “individuals and entities [to] be in full compliance with the DSP and should expect [DOJ] to pursue appropriate enforcement with respect to any violations.” (Emphasis added.)

Based on this guidance, it will be important for companies actively engaged in efforts to build out processes to meet DSP requirements to document their “good faith efforts,” and to be on a path to demonstrate full compliance with the DSP by July 8, 2025.

Clarifying guidance for security requirements for nonexempt restricted transaction

In the compliance guide, DOJ provided clarifying guidance on what is expected of companies that will engage in nonexempt restricted transactions that implicate the DSP. This guidance is important to how companies think about, and value the costs of, building the security apparatus to engage in nonexempt restricted transactions in a manner compliant with the DSP. In addition to restressing the need for security measures that meet the CISA standards specific to the DSP, examples of key clarifying guidance include:

  • Leadership and compliance personnel must be accountable for supporting, building and maintaining a responsive data compliance program.
  • A tailored data compliance program must underpin restricted transactions to “prevent, detect and remediate” potential violations of the DSP.
  • Policies and procedures must be developed and implemented for data compliance, risk-based due diligence and security controls application.
  • Screening for current and prospective vendors must be deployed, and related processes should be documented.
  • Tailored and appropriately scoped training for personnel should periodically be conducted.
  • Regular audits of restricted transactions should be performed to identify compliance gaps and potential violations of the DSP for disclosure to the National Security Division.
  • A comprehensive recordkeeping of all transactions subject to the DSP must be retained for at least 10 years after the date of such transaction. 

Timing of adjudicating license and advisory opinion requests

Expecting a significant volume of informal inquiries about the DSP during the first 90-day period, DOJ has specified in the implementation and enforcement policy that it will accept submission of license or advisory opinion requests during the first 90-day period, but it will “not review or adjudicate” those requests absent “emergency or imminent threat to public safety or national security.”

The “emergency or imminent threat to public safety or national security” is anticipated to set a high operational bar to DOJ disposition on a license or advisory opinion request during the 90-day period. The allowance for submission of such requests, however, could mean that the department might face a backlog that must be addressed after the 90-day window lapses. This means that companies that otherwise would seek a license or an advisory opinion related to a potentially novel application of the DSP should build into their operational expectations potential short-term delays in the resolution of such requests.

The clarifying guidance issued by DOJ is simultaneously an acknowledgement of the compliance complexities presented by the DSP — via the 90-day nonenforcement period for good-faith compliance efforts — and the high priority that DOJ is placing on compliance and enforcement — via taking time to more precisely detail security expectations while emphasizing that all companies must achieve full compliance by July 8.

The bottom line is that companies need to develop and quickly implement a comprehensive DSP compliance regime or risk the significant penalties of noncompliance, including criminal penalties for certain levels of misconduct. This requires being able to show sufficient controls to assure either that the company does not engage in nonexempt restricted transactions, falls within a DSP exemption or that the company can currently and prospectively identify all of its non-exempt, restricted transactions subject to the DSP and has implemented sufficient security controls across those transactions. 

In short, by July 8, companies must be ready to demonstrate that they know their data, know their people, know their vendors and know their customers.

This article was adapted from material published by Alvarez & Marsal; it is shared here with permission.