DOJ Launches New Data Security Program—What Your Company Needs to Know

By Erin Prest, Zachary Myers & Alexis Martinez on January 6, 2026

Posted in Compliance, Cybersecurity, Data Rights, DOJ, Executive Orders, Export Controls, Federal Government, Regulations, Regulatory Compliance and Claims

The US Department of Justice’s (DOJ) new Data Security Program (DSP), designed to protect sensitive information and national security-related data from misuse by foreign actors, took full effect on October 6, 2025. The program introduces new restrictions on how companies handle and share sensitive US personal data and government-related data, especially when certain foreign entities are involved. With enforcement underway, companies should understand who is covered, what activities are restricted, and what compliance measures are required. Failure to comply with the rules can result in civil or criminal penalties.

Who Must Comply

The DSP applies broadly to US companies, citizens, or organizations that collect, store, or transfer bulk US sensitive personal or government-related data. The program also applies to entities handling US data or engaging in transactions with US persons that could expose this data to foreign persons or governments. The definitions of sensitive data and government-related data are expansive under the rule and include bulk sensitive data that is anonymized, pseudonymized, de-identified, or encrypted, leading to more transactions being covered than companies would otherwise expect under other US data privacy laws. Additionally, activities not typically viewed as involving the sale or transfer of data may nonetheless fall within the DSP’s restrictions. For example, a US company that operates a website or mobile application may trigger these rules if it knowingly installs or approves advertising technologies—such as tracking pixels or software development kits—that enable the transfer of data to third parties.

Which Foreign Countries and Persons Are Covered

The rule restricts or prohibits transactions involving “countries of concern” and persons or entities controlled by them. As of now, these countries are China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The DOJ may also designate “covered persons” as a foreign entity, owner, or individual found to be owned, directed by, or acting on behalf of a country of concern. This flexibility allows the DOJ to expand coverage as national security evolves.

What Transactions Are Prohibited vs. Restricted

The new rules identify two main categories of data-related transactions:

Prohibited Transactions: Unless an exception applies, transfers of US sensitive personal data or government related-data pursuant to a data brokerage agreement with countries of concern or covered persons are prohibited.
Restricted Transactions: Other covered transfers via vendor agreements, employment agreements, or investment agreements may proceed only if specific security measures, contractual safeguards, and recordkeeping requirements are met.

What Obligations Companies Now Have for Restricted Transactions

Due Diligence Requirements: Companies must develop and implement a data compliance program that includes risk-based procedures to verify and document the flow, parties, and end use of any sensitive or government-related data. The program must include written, annually certified policies describing compliance and security measures, vendor verification processes, and any additional information required by the attorney general.
Audit Requirements: Companies must conduct an annual, independent audit to ensure that compliance is working as intended. The audit should examine a range of activities, such as data practices, security safeguards, and recordkeeping. The final report must be retained for 10 years.
Records and Recordkeeping Requirements: Companies must keep complete, accurate records of all restricted transactions for at least 10 years. This includes maintaining written compliance and security policies, audit results, due diligence documentation, and any licenses or agreements related to restricted transactions. A company officer must certify such records’ accuracy and completeness annually.
Reporting Requirements: The DOJ may request reports or supporting documents at any time. Companies involved in restricted cloud-based transactions must file annual reports summarizing the previous year’s activities. Finally, if a company receives and rejects a prohibited data-brokerage transaction, it must report such transaction to the DOJ within 14 days.
Security Requirements: The DOJ incorporated the Cybersecurity and Infrastructure Security Agency cybersecurity standards for restricted transactions to protect sensitive or government-related data.

Whistleblower Program

The Financial Crimes Enforcement Network established a whistleblower program with incentives for individuals reporting violations of the DSP. Individuals located in the US or abroad who provide information about violations of the DSP may be eligible for awards if the information they provide leads to a successful enforcement action by the DOJ that results in monetary penalties exceeding $1 million.

Organizations should review their current data practices, contracts, and vendor relationships to ensure compliance with the new rule. Our team can help evaluate your exposure, design compliance programs, and guide implementation under the DOJ’s framework. For more information, please contact the authors or any member of the McCarter & English Cybersecurity & Data Privacy team.

*Donnie Oliver, a law clerk at McCarter not yet admitted to the bar, contributed to this alert.

MENU

Government Contracts Law