Link to A New Approach to Data Regulation A New Approach to Data Regulation

With the U.S. Department of Justice’s Data Security Program (DSP) now in full effect, companies that handle sensitive personal data, operate across borders, or rely on global vendor ecosystems face an increasingly complex compliance environment. The DSP restricts certain data transactions involving individuals and countries of concern, imposes new compliance contractual obligations, and signals a clear national-security approach to data governance.

The DSP marks a new era in the federal government’s regulation of data transactions, applying concepts traditionally used in U.S. export control law to bulk or sensitive data exchanges. The DSP is designed to address what the DOJ has described as “the extraordinary national security threat” posed by U.S. adversaries acquiring Americans’ most sensitive data through commercial means to “commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.”

Link to Key Compliance Practices Key Compliance Practices

U.S. businesses should work on the following:

  • Identifying where covered data resides, who has access, and which external parties interact with the information. Businesses should focus on (i) bulk datasets or datasets relating to sensitive government activities and (ii) any technical, contractual, or operational links to foreign jurisdictions that could implicate the DSP’s restrictions.
  • Evaluating existing vendor, service-provider, and data-processing agreements in light of the DSP. This includes updating provisions to address data-access controls, obligations, audit rights, and restrictions on subcontracting or data relocation. A business that holds or anticipates holding DSP-covered data should incorporate DSP-aligned terms by default in all new agreements.
  • Aligning their data compliance program to ensure effective data classification and accountability, documented vendor due-diligence procedures, and demonstrable oversight over the data they hold.
  • Training key personnel—including legal, procurement, IT, HR, and executives—so they can recognize when a transaction, vendor, or relationship may fall within the DSP’s scope.
  • Conducting thorough due diligence before engaging in a merger or acquisition transaction involving covered data or a transaction with parties that own or have access to such data.

U.S. businesses engaged in restricted transactions must also:

  • Maintain a sufficient data compliance program that verifies data flows and confirms vendor identities.
  • Develop a written description of their compliance program and implement the Cybersecurity and Infrastructure Security Agency (CISA) security requirements, which must be certified annually.
  • Conduct independent audits of their compliance program.
  • Retain all relevant records for at least ten years.

Link to Persons and Countries of Concern Persons and Countries of Concern

The DSP grants the federal government broad authority to designate “countries of concern” and “covered persons.” Currently designated countries are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. A covered person generally includes any entity, contractor, or employee affiliated with one of these countries. The Attorney General may designate additional countries or individuals.

Link to What Data is Covered? What Data is Covered?

The DSP regulates two primary categories of information: bulk U.S. sensitive personal data and government-related data. Sensitive personal data includes precise geolocation information, biometric identifiers, genomic and other “’omic” data, personal health data, personal financial data, and certain personal identifiers—each subject to specific volume thresholds. Government-related data includes precise location data associated with designated sensitive government sites and any sensitive personal data marketed as linked or linkable to U.S. government employees, contractors, or officials, which is covered regardless of volume. These categories are broad enough to encompass data controlled or processed by banking, healthcare, and technology firms. Importantly, DSP requirements apply even to de-identified, pseudonymized, or encrypted data.

Link to Enforcement Enforcement

The DOJ’s Foreign Investment Review Section (FIRS) is responsible for enforcing the DSP. Although enforcement activity has been limited thus far, the penalties for non-compliance are significant. Failing to comply with the DSP can result in civil and criminal penalties under the International Emergency Economic Powers Act, including prison sentences of up to twenty years and fines as high as $1,000,000. The DOJ’s Whistleblower Award program also provides financial incentives for individuals to report violations, increasing the likelihood that prohibited or non-compliant activities will come to the government’s attention.

Link to Compliance Resources Compliance Resources

For organizations preparing to comply with the DSP, additional resources are invaluable. The DOJ has published an FAQ, a compliance guide, and offers periodic enforcement updates, while CISA has released the required security controls for restricted transactions. Bradley is ready to assist businesses in interpreting these complex rules, weighing possible exceptions, assessing their exposure, and building effective compliance programs. If you have questions about the DSP or its impact on your operations, please contact one of the authors.

Photo of Eric Stocking Eric Stocking

Eric Stocking is an attorney in the firm’s Corporate & Securities Practice Group. He has experience assisting clients with financial services, e-commerce, cybersecurity, data privacy, and transportation and logistics matters. He assists with M&A transactions by conducting due diligence, drafting disclosure schedules, reviewing…

Eric Stocking is an attorney in the firm’s Corporate & Securities Practice Group. He has experience assisting clients with financial services, e-commerce, cybersecurity, data privacy, and transportation and logistics matters. He assists with M&A transactions by conducting due diligence, drafting disclosure schedules, reviewing purchase agreements, and drafting ancillary transaction documents. Eric also provides support to clients complying with federal, state and European Union privacy laws and offers guidance on federal regulatory requirements. Eric is designated as a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Read more about Eric Stocking
Show more Show less
Photo of Jonathan "Jack" Harrington Jonathan "Jack" Harrington

Jack Harrington represents clients facing complex criminal, regulatory, enforcement, and reputational matters with a particular focus on the financial services, defense, and technology sectors.

Prior to joining Bradley, Jack served as an Assistant U.S. Attorney in the Criminal Division of the United States…

Jack Harrington represents clients facing complex criminal, regulatory, enforcement, and reputational matters with a particular focus on the financial services, defense, and technology sectors.

Prior to joining Bradley, Jack served as an Assistant U.S. Attorney in the Criminal Division of the United States Attorney’s Office in Birmingham, where he investigated and prosecuted complex fraud, money laundering, trade sanctions, cybercrime, and national security matters in partnership with the FBI and other law enforcement agencies.

Read more about Jonathan "Jack" HarringtonJonathan "Jack"'s Linkedin Profile
Show more Show less