On April 8, the U.S. Department of Justice (DOJ) launched its Data Security Program (DSP), a new regulatory framework with sweeping implications for how U.S. companies manage and share sensitive personal data. The DOJ provided a 90-day leniency period, ending July 8, to give companies time to come into compliance. The stakes of this new rule are high: civil fines of up to $1 million and criminal penalties reaching 20 years in prison.
The DSP is a national security initiative designed to prevent “bulk” U.S. personal and government-related data from being accessed by “countries of concern,” namely China, Russia, Iran, North Korea, Cuba, and Venezuela. Its scope extends far beyond direct data transfers, affecting vendor relationships, data brokerage arrangements, and even internal access protocols.
For enterprises handling regulated data, the countdown to compliance has already begun.
What’s Covered Under the DSP
The DSP regulates access to a wide range of sensitive data types and establishes the following bulk thresholds:
- Biometric identifiers on over 1,000 U.S. persons
- Precise geolocation data on over 1,000 U.S. devices
- Personal health data and personal financial data on over 10,000 U.S. persons
- Covered personal identifiers on over 100,000 U.S. persons (e.g., login credentials, device IDs)
- Any combination of these data types that meets the lowest threshold for any category in the dataset
The rule covers more than just data gathered through medical or financial services. Seemingly routine data like fitness app logs and payment history can fall under DSP coverage as well.
The rule applies to any form of bulk data sharing, including:
- Vendors
- Foreign partners
- Investors
- Joint ventures
- Data brokers
Even when working with non-covered foreign entities, companies must implement strict controls to prevent indirect access by the identified “adversarial” countries. The bottom line: if your organization holds regulated data, you’re likely in scope.
What The Grace Period Really Means
The 90-day leniency period applies only to civil enforcement, and only for organizations making good-faith efforts.
Critical details to keep in mind:
- Criminal enforcement is already active, particularly if intent is evident.
- Some provisions, such as specific contract language or licensing processes, won’t be fully enforced until October 6—but don’t assume your risk is delayed.
- After July 8, the DOJ will expect full compliance.
5 Steps to DSP Compliance: A Data Governance Checklist
With time running short, data governance professionals should prioritize these five actions:
1) Audit and Inventory Regulated Data
Start with a comprehensive review of your organization’s data landscape:
- Identify all instances of regulated data and evaluate whether they meet the DOJ’s “bulk” thresholds.
- Don’t underestimate edge cases—metadata, fitness logs, and transaction history may qualify.
2) Review Contracts, Then Rewrite Them
Evaluate all third-party agreements involving data sharing:
- Use the DOJ’s template contractual language found in the provided compliance guide for data brokerage with non-covered foreign persons.
- Contracts must include terms that prohibit downstream access to covered persons, even if your partner operates in a “safe” jurisdiction.
3) Implement a Risk-Based Compliance Program
The DOJ expects companies to go beyond paperwork:
- Build a formal compliance program modeled on frameworks like the International Emergency Economic Powers Act (IEEPA), including:
- Training and written policies
- Ongoing audits
- Enhanced due diligence on partners
- Pay particular attention to minority ownership and control structures, as you may need to screen individual stakeholders for ties to covered entities.
4) Understand the Domestic Angle
Compliance isn’t limited to international transactions:
- A U.S. branch of a foreign adversary’s company may still be considered a “covered person.”
- Your compliance program should address domestic access risks, especially where foreign ownership or control is present.
5) Prepare for Long-Term Governance Overhead
DSP compliance isn’t one-and-done:
- The rule introduces 10-year recordkeeping requirements in some cases.
- Even when not required, maintaining voluntary records may help during investigations or subpoena responses.
- Build compliance tracking into your long-term data governance architecture.
Navigating DOJ Interactions: Engage with Caution
The DOJ has made some engagement pathways available, but they come with caveats:
- Informal inquiries are welcome, but they aren’t confidential and could later inform enforcement actions.
- Formal advisory opinions or license requests are discouraged until after July 8, unless there’s an urgent public safety or national security risk.
- Voluntary self-disclosure of violations may serve as a mitigating factor in enforcement.
- The DOJ has confirmed that the FinCEN whistleblower program now covers DSP-related violations, increasing internal exposure if oversight gaps exist.
The DOJ released an official FAQ for those seeking more information.
The Countdown to Compliance
The DOJ’s Data Security Program signals a policy evolution in U.S. data governance. For enterprise leaders, it’s more than a regulatory compliance issue—it’s a test of your organization’s operational resilience and data governance capabilities.
With the grace period closing fast, compliance teams must act with urgency and precision. July 8 is not just a deadline; it’s a line in the sand.
Looking to stay ahead of evolving regulations and turn compliance into competitive advantage? Contact ZL Tech to see how our platform enables dynamic, scalable data governance.
