Effective July 8, the U.S. Department of Justice (DOJ) commenced full enforcement of its Data Security Program (DSP), marking the end of the 90-day grace period for U.S. companies and individuals handling and exporting government-related data or bulk sensitive personal data. Entities subject to the DOJ's rules must now ensure strict compliance with all DSP requirements or face significant civil and criminal penalties.
The DSP, which took effect on April 8, 2025, imposes sweeping restrictions on data transfers involving "countries of concern" (China, Cuba, Iran, North Korea, Russia, and Venezuela) and "covered persons." The program is designed to prevent foreign adversaries from accessing sensitive U.S. data, including through business transactions, data brokerage, and cloud services.
Key Enforcement Provisions Now in Effect:
- Civil and Criminal Liability: The DOJ is now authorized to pursue both civil and criminal enforcement actions against violators. Civil penalties can reach the greater of $368,136 or twice the value of each violative transaction; willful violations may result in up to 20 years' imprisonment and fines up to $1 million under the International Emergency Economic Powers Act (IEEPA).
- No More Grace Period: The DOJ will no longer deprioritize civil enforcement for companies making good-faith compliance efforts. All covered entities must be in full compliance as of July 8.
- Compliance Obligations: Impacted organizations must have completed risk assessments, updated vendor and data-sharing contracts, implemented Cybersecurity and Infrastructure Security Agency (CISA) security requirements, and ensured that no prohibited or restricted transactions occur without required safeguards.
- Ongoing Requirements: Due diligence, audit, and certain reporting obligations for restricted transactions will become enforceable on October 6, 2025; however, all core prohibitions and restrictions are now subject to active enforcement.
Immediate Action Items:
- Verify Applicability: Confirm whether your organization's data flows or business relationships involve covered data or entities.
- Document Compliance: Maintain thorough records of compliance efforts, including data mapping, vendor diligence, and updates to internal policies.
- Monitor Transactions: Ensure no prohibited or restricted data transfers occur without appropriate controls and documentation.
- Prepare for DOJ Inquiries: Be ready to respond promptly to DOJ requests or investigations related to covered transactions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
