Are You in Compliance With DOJ’s Data Security Program?

What Is the DOJ Data Security Program?

The Data Security Program implements Executive Order 14117 through regulations codified at 28 C.F.R. Part 202. Its purpose is to prevent foreign adversaries from using ordinary commercial transactions to obtain sensitive information about Americans or the U.S. government.

This is not simply another consumer privacy law. It operates more like an export-control and national security regime for data. A company may satisfy its state privacy notices, obtain consumer consent, and use excellent encryption yet still have a DOJ compliance problem. Consent is not a universal exception, and encryption does not automatically remove information from the definition of regulated data.

The rule focuses on four basic questions:

1. Is a U.S. person involved?
2. Does the transaction involve regulated data?
3. Could a country of concern or covered person gain access?
4. Is the arrangement data brokerage, a vendor agreement, an employment agreement, or an investment agreement?

When all four pieces line up, the transaction may be prohibited, restricted, exempt, or eligible for authorization under a license. Unfortunately, the rule does not come with a cheerful traffic light that flashes red or green. Organizations must perform the analysis themselves.

Does the DOJ Data Security Program Apply to Your Organization?

You May Be a U.S. Person Even When Operating Globally

The program applies broadly to U.S. persons. This category includes U.S. citizens, nationals, lawful permanent residents, refugees, and asylees. It also includes entities organized solely under U.S. law, including their foreign branches, and anyone physically located in the United States.

A U.S. corporation therefore cannot assume that an activity falls outside the rule merely because the relevant server, branch office, contractor, or business team is overseas.

Your Data May Reach a Bulk Threshold Faster Than Expected

Bulk U.S. sensitive personal data includes covered personal identifiers, financial information, health information, precise geolocation data, biometric identifiers, and human omic data. Thresholds are generally evaluated across a rolling 12-month period, including transactions that must be aggregated between the relevant parties.

Government-related data can be regulated without reaching a bulk threshold. It includes specified precise geolocation information associated with sensitive government locations and certain personal data marketed as linked or linkable to government personnel.

Organizations should also remember that de-identified, pseudonymized, anonymized, or encrypted information may still count toward the threshold. Those treatments can reduce risk and may help satisfy security requirements, but they do not provide a magical invisibility cloak.

“Access” Is Broader Than Sending a File Overseas

A regulated transfer does not require someone to email a spreadsheet named “Extremely Sensitive DataPlease Be Careful.xlsx.” Access can arise through remote administration, technical support, database permissions, system monitoring, software development, analytics, shared workspaces, cloud infrastructure, or the ability to retrieve or alter information.

A foreign vendor that never downloads a database may still have access if its personnel can query, view, administer, or otherwise obtain the regulated information.

Countries of Concern and Covered Persons

The countries of concern currently identified under the program are China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and Venezuela.

The rule also reaches covered persons connected to those countries. Depending on the facts, covered persons may include:

• Foreign entities organized under the laws of, headquartered in, or principally operating from a country of concern;
• Foreign entities owned 50 percent or more, individually or in the aggregate, by countries of concern or other covered persons;
• Foreign employees or contractors of covered entities or governments of countries of concern;
• Foreign individuals primarily resident in a country of concern; and
• Persons separately designated by the attorney general.

The DOJ Covered Persons List is important, but it is not exhaustive. Screening only the published list is therefore inadequate. Organizations may need ownership information, headquarters and formation details, employee or contractor relationships, and residency information.

Prohibited Transactions Versus Restricted Transactions

Prohibited Transactions Must Not Proceed

Data brokerage involving a country of concern or covered person is generally prohibited when it provides access to government-related data or bulk U.S. sensitive personal data. Data brokerage includes selling data, licensing access, or entering a similar commercial arrangement in which the recipient did not collect or process the information directly from the individuals to whom it relates.

Data brokerage with another foreign person may also require contractual restrictions preventing onward transfers to countries of concern or covered persons. A U.S. person that knows or suspects the foreign recipient has violated that restriction generally must report the matter promptly.

Transactions that provide countries of concern or covered persons access to bulk human omic dataor biospecimens from which such data could be derivedreceive particularly strict treatment. Qualifying vendor, employment, or investment arrangements involving this information may be prohibited rather than merely restricted.

The rule also prohibits evasion, attempted violations, conspiracies, and knowingly directing another person to engage in conduct that would be unlawful if performed by a U.S. person. Moving a transaction through a conveniently located intermediary does not transform a red flag into a green one. It merely gives the red flag a connecting flight.

Restricted Transactions May Proceed With Required Safeguards

Vendor agreements, employment agreements, and investment agreements involving regulated access by a country of concern or covered person are generally restricted transactions. They may proceed only when the U.S. person satisfies the applicable DOJ obligations and CISA security requirements.

A restricted transaction is not a casual “encrypt it and carry on” exercise. The organization must use a combination of governance, system, and data-level controls that effectively prevents covered persons from accessing regulated data in an identifiable, linkable, unencrypted, or readily decryptable form.

A Practical DOJ Data Security Program Compliance Checklist

1. Build an Accurate Data Inventory

Identify what sensitive personal and government-related data the organization collects, creates, purchases, hosts, analyzes, licenses, or stores. Record the data category, number of U.S. persons or devices, system location, retention period, business owner, and external recipients.

Do not stop at production databases. Include backups, test environments, support tickets, analytics platforms, data lakes, collaboration tools, archived exports, and software logs.

2. Map Data Flows and Access Paths

Document where regulated information travels and who can reach it. Review foreign vendors, subcontractors, remote workers, investors, joint ventures, research collaborators, affiliates, and technical-support teams.

The map should show logical access as well as physical transfers. A database may remain in Virginia while an administrator halfway around the world holds credentials that open the front door.

3. Classify Every Relevant Transaction

Determine whether each arrangement is data brokerage, a vendor agreement, an employment agreement, or an investment agreement. Then classify it as prohibited, restricted, exempt, licensed, or outside the rule.

Document the reasoning. A conclusion living only in the memory of one attorney or engineer is not much of a compliance recordespecially after that person changes jobs.

4. Perform Risk-Based Counterparty Due Diligence

Verify identities, ownership, incorporation, headquarters, principal place of business, residency, employment relationships, and subcontracting chains when relevant. Screen against the DOJ Covered Persons List, but do not treat list screening as the entire analysis.

Due diligence should occur before onboarding and be refreshed according to the organization’s risk profile. Ownership, personnel, locations, and subcontractors can change after a contract is signed.

5. Implement the CISA Security Requirements

Organizations engaging in restricted transactions must establish applicable organizational and covered-system safeguards. These may include asset inventories, cybersecurity responsibility assignments, vulnerability management, approved hardware and software procedures, network documentation, access controls, multifactor authentication, logging, incident-response capabilities, and vendor-security governance.

At the data level, organizations may use an effective combination of:

• Data minimization and masking;
• Encryption in storage and transit with protected key management;
• Privacy-enhancing technologies;
• Identity and access management;
• Segmentation and isolation; and
• Controls that deny covered persons access to regulated data.

The selected combination must actually work. A written policy claiming that covered data is segmented will not impress anyone if a test account can cross the segment before lunch.

6. Establish a Written Data Compliance Program

The program should assign responsibility, define transaction-review procedures, explain due diligence, describe the implementation of security controls, establish escalation channels, and address training, reporting, record retention, and remediation.

Required policies and certifications should be reviewed annually by the responsible officer, executive, or compliance employee. Senior management should receive enough information to understand the organization’s exposure rather than simply signing the ceremonial compliance parchment.

7. Conduct Annual Independent Audits

Restricted transactions require annual audits examining both the transactions and the organization’s compliance program. An audit may be performed internally or externally when the auditor is sufficiently independent and the review satisfies the regulatory requirements.

The audit should test controls, sample access records, examine data flows, verify counterparty diligence, review incidents, and identify remediation work. A document that merely repeats management’s assurances is a book report, not an audit.

8. Maintain Records for at Least 10 Years

Relevant records generally must be retained in an auditable form for at least 10 years. These may include contracts, diligence results, transaction analyses, policies, certifications, training records, access logs, audit reports, security-control evidence, reports, and licensing materials.

9. Build Mandatory Reporting Into the Workflow

The rule contains reporting obligations for specified events, including certain rejected prohibited data-brokerage offers, known or suspected violations of contractual onward-transfer restrictions, and designated categories of restricted transactions.

Legal, procurement, security, sales, human resources, and corporate-development teams should know how to escalate a reportable event. Waiting for the annual privacy meeting is not a reporting procedure.

10. Update Contracts

Relevant agreements should address permitted access, geographic restrictions, subcontractors, onward transfers, security requirements, certifications, audit rights, incident notification, cooperation, data return or deletion, and termination rights.

Contract language does not replace operational controls. It does, however, provide evidence, allocate responsibility, and give the organization options when a counterparty begins improvising.

Do Any Exemptions Apply?

The program contains exemptions for specified activities, including certain personal communications, informational materials, official U.S. government activities, financial services, telecommunications services, corporate-group administrative functions, regulatory approvals, and qualifying clinical investigations or post-marketing activities.

These exemptions are carefully defined. A company should not conclude that every transaction conducted by a bank is a financial-services transaction, every transfer within a corporate family is exempt, or every healthcare project qualifies as clinical research.

An exemption analysis should identify the exact regulatory provision, explain how each condition is satisfied, and be preserved with the transaction records. “Someone in operations said this was probably exempt” is not the legal standard.

Examples of Potential Compliance Risks

Foreign Cloud-Support Personnel

A U.S. healthcare platform stores records for 40,000 American patients. A foreign cloud contractor allows support engineers primarily resident in a country of concern to access the production environment. Because the arrangement involves a vendor agreement, personal health data above the bulk threshold, and covered-person access, it may be a restricted transaction requiring the full compliance and security framework.

Sale of Advertising Data

A U.S. advertising company licenses covered personal identifiers associated with 150,000 Americans to a foreign data reseller. Even when the reseller is not a covered person, the U.S. company may need contractual restrictions against onward transfers to countries of concern and a process for reporting known or suspected violations.

Genomic Research Collaboration

A biotechnology company proposes to send biospecimens from hundreds of U.S. participants to a laboratory connected to a country of concern. If bulk human genomic data could be derived from those specimens, the arrangement may be prohibited. Installing better antivirus software would not rescue a transaction the rule says must not occur.

Real transactions are highly fact-specific. These examples illustrate the analysis but should not replace advice based on the actual contract, data, parties, ownership structure, and access design.

Penalties and the DOJ Knowledge Standard

Violations may produce substantial civil penalties under the International Emergency Economic Powers Act. The maximum can be the greater of the applicable inflation-adjusted statutory amount or twice the value of the underlying transaction. Willful criminal violations may lead to fines of up to $1 million and, for individuals, imprisonment of up to 20 years.

The DSP is not framed as a pure strict-liability program. Its prohibitions generally include a knowledge standard covering what a person actually knew or reasonably should have known.

That standard rewards sensible due diligence and punishes strategic blindness. An organization cannot ignore obvious foreign ownership, leave data access undocumented, decline to ask where contractors work, and later announce that the whole situation was a delightful surprise.

When a potential violation is discovered, the organization should preserve evidence, stop or contain risky access, involve qualified counsel, determine whether reporting is mandatory, remediate the weakness, and evaluate voluntary self-disclosure. DOJ guidance indicates that timely disclosure, cooperation, and remediation may affect enforcement decisions.

Practical Compliance Experiences: Lessons From the Readiness Process

Organizations preparing for DOJ Data Security Program compliance commonly discover that the legal analysis is not the hardest part. The hardest part is connecting legal rules to systems, people, vendors, and data that have accumulated over years without a single owner.

The First Data Map Is Usually Wrong

A privacy team may begin with a polished diagram showing customer information moving from a website to a database and then to an approved analytics platform. Technical interviews often reveal several additional destinations: a customer-support application, a troubleshooting environment, a developer’s test account, a disaster-recovery region, and an old reporting tool nobody remembers purchasing.

The experience teaches an important lesson: compliance inventories should be verified through system logs, identity platforms, procurement records, interviews, and technical testing. A diagram based only on questionnaires can look gorgeous while missing half the building.

Vendor Location Is Not the Same as Vendor Risk

Another recurring surprise involves U.S.-based vendors. A supplier may be incorporated in Delaware and invoice from California while relying on foreign affiliates or subcontractors for engineering, moderation, analytics, or after-hours support. The name on the contract therefore tells only part of the story.

Effective reviews ask where services are performed, who can access regulated systems, whether work can be reassigned, how subcontractors are approved, and whether ownership or staffing has changed. Procurement teams often need new intake questions because “vendor country” is no longer a one-box exercise.

Access Reduction Is Often Better Than Access Documentation

Some organizations initially try to document every existing permission. During that process, they discover hundreds of users with broad access they no longer need. Removing access may be faster, safer, and cheaper than building a sophisticated control structure around unnecessary privileges.

This is where DOJ compliance can improve cybersecurity generally. Data minimization, least-privilege access, network segmentation, strong identity management, and shorter retention periods reduce regulatory exposure while also shrinking the attack surface. Occasionally, a regulation does help clean the garage.

Ownership Must Be Shared Across Departments

Legal teams can interpret the rule, but they cannot configure identity controls. Cybersecurity teams can restrict accounts, but they may not recognize an investment agreement. Procurement can amend contracts, but it may not know which data meets a rolling threshold. Human resources understands employee arrangements, while research teams understand biospecimens and omic data.

Successful programs therefore use a cross-functional steering group with defined decision rights. A practical operating model assigns business owners to data sets, legal owners to classification questions, security owners to control implementation, and compliance owners to evidence and reporting.

Evidence Should Be Collected While Work Happens

Many organizations build controls first and think about audit evidence later. They then spend weeks reconstructing approval records, screenshots, tickets, training logs, and access reviews.

A more durable approach links each obligation to evidence from the beginning. For example, counterparty reviews should produce dated records; access approvals should be retained automatically; vulnerability remediation should be traceable through tickets; and policy certifications should have assigned deadlines. Compliance becomes much less theatrical when the evidence is generated by normal operations.

Tabletop Exercises Expose the Real Gaps

A useful readiness exercise presents the team with a realistic scenario: monitoring detects a foreign contractor accessing a covered database after the contractor’s work location changed. Participants must decide who disables access, who preserves logs, who reviews the contract, who determines whether the person is covered, and who evaluates reporting obligations.

These exercises frequently reveal unclear escalation paths and missing contact information. Finding those weaknesses during a meeting is considerably cheaper than discovering them while a reporting deadline is sprinting toward the company.

Conclusion: Compliance Starts With Knowing Your Data

DOJ Data Security Program compliance requires more than adding a paragraph to a privacy policy. Organizations must know what regulated information they hold, calculate applicable thresholds, understand who can access the data, investigate counterparties, classify transactions, implement CISA safeguards, conduct audits, preserve records, and respond quickly to warning signs.

The strongest programs convert those obligations into repeatable business processes. Data inventories are maintained rather than created once. Counterparties are monitored rather than screened only at onboarding. Controls are tested rather than admired from a safe distance. Decisions are documented rather than preserved in folklore.

When the DOJ asks how an organization reached its compliance conclusion, the ideal response is a clear package of evidencenot a conference-room silence followed by someone quietly closing a laptop.