[co-author: Sidney Howe]*
The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.
Background
As a reminder, the DOJ DSP aims to protect Americans’ sensitive personal data and certain U.S. Government-related data from foreign adversaries (see our blog here for more details on the rule). Specifically, the program prohibits or restricts “covered data transactions,” i.e., any transaction that involves any access by a country of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela) or covered person to any bulk U.S. sensitive personal data or government-related data (as defined in the regulations) and that involves data brokerage; a vendor agreement; an employment agreement; or an investment agreement. Common types of data that will be subject to this rule include health and biometric data; human genomic data; financial data; personal health data; government identification numbers (such as social security numbers); demographic and contact information; and network, device, and advertising identifiers.
Enforcement Timeline and Path to Compliance
While the majority of the DSP is now effective and will be enforced as of July 8, 2025, the DSP includes another deadline for companies to establish required internal policies and procedures. By October 6, 2025, companies must implement the final requirements of the DSP to create a data compliance program (if participating in restricted transactions) and comply with reporting and auditing requirements.
It is crucial that companies evaluate and strengthen their data practices in advance of the upcoming October 6, 2025 deadline. Specifically, U.S. entities subject to the DOJ DSP should evaluate the following when shoring up compliance efforts:
- Risk-based procedures for data security
- Vendor management and validation
- Written data and security policies with annual certification
- Employee training programs
- Dedicated compliance personnel
- Audit, record-keeping, and reporting procedures and procedures for data security compliance
Companies should not delay in implementation of compliance programs. This is especially pertinent when considering the potential enforcement penalties associated with the DSP. The DOJ may bring civil enforcement actions and criminal prosecutions for knowing or willful violations of DSP requirements.
Our team is actively monitoring the DOJ DSP for additional enforcement guidance and compliance updates.
*Sidney Howe is a Cybersecurity Fellow in the Governmental Practice in the firm’s Washington, D.C. office.
