DOJ Data Security Program Enforcement Delay Has Ended – Is Your Company Ready?

Client Alert  |  July 10, 2025

Gibson Dunn lawyers are actively advising in this space and are available to assist in addressing any questions you may have regarding these issues. We have developed materials intended to be useful for companies that are continuing to develop their compliance programs.

Overview:

  • On December 27, 2024, the Department of Justice (DOJ) issued a final rule pursuant to a mandate set out in Executive Order 14117 that established a new federal regulatory framework for “bulk sensitive personal data” and “United States government-related data.”[i]  This framework, which came into effect on April 8, 2025, has been referred to by DOJ as the “Data Security Program”(DSP).[ii]
  • The DSP restricts or prohibits certain transactions that could involve access to bulk U.S. sensitive personal data or U.S. government data by a class of covered persons and countries of concern, as well as imposes numerous diligence, security, audit, and recordkeeping requirements.  For more details on these restrictions, prohibitions, and requirements, refer to our Client Alert published April 16, 2025.
  • The DOJ 90-day de-prioritization of DSP civil enforcement against persons who made “good faith” efforts to comply expired on July 8, 2025.  Before July 8, 2025, DOJ policy was to pursue only “egregious, willful” violations by companies not making a “good faith effort” to comply.  DOJ now expects that “individuals and entities should be in full compliance with the DSP and should expect [the DOJ National Security Division] to pursue appropriate enforcement with respect to any violations.”[iii] 
  • The DSP reflects a quilted approach, knitting together frameworks including export controls, sanctions, data privacy, data security, and CFIUS, and applies broadly across sectors and industries.  As DOJ has now clearly articulated its expectations regarding DSP compliance, companies should ensure that they have assessed their potential exposure under the DSP and taken appropriate steps to manage and mitigate attendant risks.

Recommended Actions:

  • Data Risk Assessment: U.S. companies and those with U.S. presence should work to understand the potential for access to relevant data by persons (which can be individual or corporate persons) – associated with countries of concern (i.e., China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela) to determine whether they may be considered a restricted or prohibited transaction. In particular, companies should:
    • Map potentially covered data and relevant access controls (as well as access logs/records), and
    • Evaluate key vendors, customers, employees, and affiliates to ascertain the potential that they may directly or indirectly provide access to data covered by the DSP to a covered person.
  • Security Measures: Where companies determine they are engaged in a restricted transaction that cannot be unwound, they are required to implement and demonstrate compliance with “security measures” articulated by the Department of Homeland Security.  Despite the moniker, compliance with these security measures presents a de facto requirement of fully restricting access to data subject to the DSP by covered persons.
  • Compliance Program Build-out: All companies should consider implementing appropriate, risk-based compliance measures to mitigate identified risks, including as informed by DOJ guidance.[iv]  Companies engaging in restricted transactions are expected to adopt and be able to demonstrate compliance measures (including audit, reporting, and certification requirements) by October 6, 2025.  
  • Public Disclosure Obligations: SEC registrants should also consider the disclosure implications of the DSP.  In particular, there may be implications for risk factor disclosures (e.g., annual and quarterly reports, registration statements) as well as discussions of cybersecurity risk management, strategy, and governance in annual reports.[v]  SEC registered-entities (e.g., broker-dealers, investment advisers, investment companies, transfer agents, funding portals) should also revisit their Regulation S-P policies and procedures to ensure that they align with their new DSP obligations.

Penalties for Non-Compliance:

Significant penalties may apply for violations of the DSP. 

  • Civil penalties up to the greater of $377,700 or twice the value of the transaction.
  • Criminal penalties up to $1 million and 20 years’ imprisonment.

Gibson Dunn lawyers are actively advising in this space and are available to assist in addressing any questions you may have regarding these issues and have developed materials intended to be useful for companies that are continuing to develop their compliance programs.

[i] Exec. Order No. 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern,” 89 Fed. Reg. 40424 (issued Feb. 28, 2024; published May 9, 2024). 

[ii] See Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern, 89 Fed. Reg. 1230 (Jan. 8, 2025); Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern, 89 Fed. Reg. 28865 (Apr. 18, 2025) (codified at 28 C.F.R. §§ 202 et seq.); see also Dep’t. of Justice, DSP Compliance Guide (Apr. 11, 2025), https://www.justice.gov/opa/media/1396356/dl; Dep’t. of Justice, DSP: Frequently Asked Questions (Apr. 11, 2025), https://www.justice.gov/opa/media/1396351/dl; Dep’t. of Justice, DSP: Implementation and Enforcement Policy Through July 8, 2025 (Apr. 11, 2025), https://www.justice.gov/opa/media/1396346/dl?inline.

[iii] Dep’t. of Justice, DSP: Frequently Asked Questions, at p. 5 (Apr. 11, 2025), https://www.justice.gov/opa/media/1396351/dl.

[iv] See Dep’t. of Justice, DSP Compliance Guide (Apr. 11, 2025), https://www.justice.gov/opa/media/1396356/dl; Dep’t. of Justice, DSP: Frequently Asked Questions (Apr. 11, 2025), https://www.justice.gov/opa/media/1396351/dl.

[v] See 17 CFR § 229.106 (Aug. 4, 2023).

The following Gibson Dunn lawyers prepared this update: Vivek Mohan, Stephenie Gosnell Handler, Melissa Farrar, Mellissa Campbell Duru, Sarah Pongrace, and Christine Budasoff.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any of the following leaders and members of the firm’s Privacy, Cybersecurity & Data Innovation, Artificial Intelligence, or International Trade Advisory & Enforcement practice groups, or the authors:

Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Melissa Farrar – Washington, D.C. (+1 202.887.3579, mfarrar@gibsondunn.com)
Mellissa Campbell Duru – Washington, D.C. (+1 202.955.8204, mduru@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)
Christine A. Budasoff – Washington, D.C. (+1 202.955.8654, cbudasoff@gibsondunn.com)

Privacy, Cybersecurity & Data Innovation / Artificial Intelligence:

United States:
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

International Trade Advisory & Enforcement:

Adam M. Smith – Washington, D.C. (+1 202.887.3547, asmith@gibsondunn.com)
Matthew S. Axelrod – Washington, D.C. (+1 202.955.8517, maxelrod@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, ctimura@gibsondunn.com)
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, mweinbaum@gibsondunn.com)
Roxana Akbari – Orange County (+1 949.475.4650, rakbari@gibsondunn.com)
Karsten Ball – Washington, D.C. (+1 202.777.9341, kball@gibsondunn.com)
Mason Gauch – Houston (+1 346.718.6723, mgauch@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, cmullen@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)
Anna Searcey – Washington, D.C. (+1 202.887.3655, asearcey@gibsondunn.com)

© 2025 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.