Why Federal Law Enforcement Believes Foreign Adversaries Can Harm the U.S. by Exploiting Your Tech and Data

International cybercrime is not new.  As a business owner in today's interconnected economy, you know all about the need to protect your technology, financial accounts, business operations, and customer data from digital theft and ransomware.  Additionally, many cyber criminals are working for or in coordination with countries that want to harm the U.S. economy, our infrastructure, and even our national defense.  That's why the U.S. Department of Justice ("DOJ") is beginning to enforce the new Data Security Program ("DSP") regulation.  Every business in the U.S. is now subject to enforcement.  The grace period for civil enforcement ended on July 8, 2025, and additional obligations like reporting and audits take effect on October 6, 2025.  Are you ready for the new age of DSP?

According to the DOJ, the DSP focuses on the “unusual and extraordinary threat…to the national security and foreign policy of the United States.” That threat includes exploitation of  U.S. government-related data and  U.S. business-related data to commit espionage and economic crimes, conduct surveillance and counterintelligence activities, develop harmful AI, and undermine our national security. 

Much of the media coverage of the DSP emphasizes the "export" component of the rule.  But, in fact, businesses that are not exporters or importers of material goods could still find themselves a link in the DSP chain.  Whether those businesses are weak links depends on their ability to implement a DSP compliance plan.  If your business's digital resources or customer data travels internationally electronically, or you allow foreign access to your tech and data, you probably should have a DSP compliance plan. 

In this article, we discuss the following topics: 

1. How the Program Works: Export Controls for the Digital Age
2. Who Must Comply: A Broader Net Than You Might Think
3. Timeline and Enforcement: A Phased Approach
4. Key Compliance Obligations: Prohibitions and Restrictions
5. Key Compliance Obligations: Company Actions
6. Understanding the Risks: Penalties 

How the Program Works: Export Controls for the Digital Age

Think of the DSP as creating virtual import and export controls for data that prohibit or restrict "covered data transactions" which involve access by a "country of concern" or "covered persons" to any United States "government-related data" or Americans' "bulk sensitive personal data" (the DOJ's DSP frequently asked questions document contains important updated interpretations and guidance). To better understand the prohibitions, restrictions, and requirements of the DSP, we need to first understand the following three elements: 

1. What is a "covered data transaction?"
2. What or who is a "country of concern" or "covered person?"
3. What constitutes "government-related data" or "bulk U.S. sensitive personal data?" 

FIRST, for the DSP to apply, the transaction must constitute a "covered data transaction," which is a set of transactions granting access to a "country of concern" or "covered persons" to any United States "government-related data" or "bulk U.S. sensitive personal data," which involves one or more of the following: 

• A data brokerage (defined as: "sale of data, licensing of access to data, or similar commercial transactions . . . where the recipient did not collect or process the data directly from the individuals linked or linkable to the collected or processed data")
• A vendor agreement (defined as: "any agreement or arrangement . . . in which any person provides goods or services to another person . . . in exchange for payment or other consideration")
• An employment agreement (defined as: "any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration")
• An investment agreement (defined as "an agreement or arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to” real estate located in the U.S. or a U.S. legal entity).

SECOND, the DSP specifically targets what the DOJ calls:  

• "countries of concern" which are countries that have "engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of United States persons", and that pose "a significant risk of exploiting government-related or bulk U.S. sensitive personal data to the detriment of the national security of the United States or security and safety of U.S. persons," which currently include: China, Russia, Iran, Venezuela and other potential foreign adversaries, and  
• "covered persons" is defined as five (5) specific categories of persons that essentially fall under the broad grouping of individuals or entities that operate under the jurisdiction, ownership, control, or direction of a "country of concern."

THIRD, the DSP is not concerned with data transactions solely within the U.S., or cross-border transactions with countries not considered a "country of concern." The DSP focuses on transactions with a "country of concern" or a "covered person" in two primary categories of information: U.S. "government-related data" or "bulk U.S. sensitive personal data." Understanding these categories is crucial for determining whether your business falls under the program's scope. 

• U.S. Government-related data includes: (a) any precise geolocation data (i.e., location within 1,000 feet) of 736 defined sensitive geographic areas (e.g., worksites, duty stations, military installations, facilities that support U.S. national security, etc.) defined in the Government-Related Location Data List by latitude and longitude coordinates; and (b) sensitive personal data linked to current or recent U.S. government employees, contractors, or senior officials. 
• The bulk sensitive personal data category is broader and includes genomic data, precise geolocation information, biometric identifiers, personal health information, financial data, and personally identifiable information relating to U.S. persons. The keyword here is "bulk." The DSP is primarily concerned with large datasets rather than individual records, though the specific thresholds for what constitutes "bulk" vary depending on the type of data and the sensitivity of the information. For example, the "bulk" threshold for human genomic data is records of 100 U.S. persons; however, the threshold for personal health data is records of 10,000 U.S. persons. The thresholds for "bulk" can be found here. 

Who Must Comply: A Broader Net Than You Might Think

The DSP requires all individuals and entities subject to U.S. jurisdiction, as well as foreign individuals and entities engaging in a "covered transaction" with a "covered country" or "covered person" that involves transfers of U.S. "government-related data" or "bulk U.S. sensitive personal data" to comply with the DSP. 

This broad scope means that compliance is not limited to American companies. A foreign business that deals with American customers, governmental entities, partners, or data is likely subject to these requirements, as well. Similarly, an American company with international operations needs to ensure that its foreign subsidiaries and partners also comply with the DSP's restrictions. 

Additionally, the DSP covers both direct and indirect relationships. If a company uses a third-party service provider that has ties to countries of concern, it could be inadvertently violating the program's restrictions. This makes due diligence on one's business partners and service providers more critical than ever.

Timeline and Enforcement: A Phased Approach

The Data Security Program officially went into effect on April 8, 2025, but the DOJ has implemented a phased enforcement approach to give businesses time to adjust their operations. To provide additional time for entities and individuals to come into compliance, the DSP delays certain affirmative due diligence obligations, which do not go into effect until October 6, 2025. 

The DOJ's National Security Division ("NSD") stated that persons subject to the DSP will not face enforcement in the initial 90-day period from April 8, 2025, through July 8, 2025, so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time. 

After July 8, 2025, the NSD expects full compliance with the program's prohibitions and restrictions, and penalties for non-compliance will apply. Starting on October 6, 2025, additional affirmative obligations around due diligence, auditing, and reporting will take effect, creating an even more comprehensive compliance framework.

Key Compliance Obligations: Prohibitions and Restrictions

Compliance with the DSP requires more than just complying with requirements relating to "prohibited transactions" and "restricted transactions." 

Under the DSP, a "prohibited transaction" is a data transaction that is subject to one or more prohibitions in the DSP subpart C, which prohibits U.S. persons from engaging in:

• covered data transactions that involve data brokerage (as discussed above) transactions involving bulk U.S. sensitive personal data or government-related data with: (a) "countries of concern" or "covered persons" or (b) other foreign persons, unless the data brokerage transaction included a contractual prohibition on resale of any such data;
• any data transactions with "countries of concern" or "covered persons" involving access to bulk human ‘omic data; and/or
• evasions, attempts, the causing of violations, and conspiracies and/or knowingly directing prohibited or restricted transactions.

One step below "prohibited transactions" are "restricted transactions," which, unless exempt or otherwise authorized by a general or specific license, mandate U.S. persons to not knowingly engage in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person, unless the U.S. person complies with all applicable DSP requirements, including the security requirements imposed by subpart D; specifically: 

• CISA Requirements for Restricted Transactions
• Data Compliance Program development and implementation requirements under 28 CFR Part 202.1001;
• the obligation to conduct audits that comply with the requirements of 28 CFR Part 202.1002; and
• the recordkeeping requirements under 28 CFR Part 202.1101–1104 

That being said, the DSP includes 11 exemptions to the prohibitions and restrictions of the DSP for transactions that involve: 

• Personal communications (that do not involve the transfer of anything of value)
• Information or informational materials
• Travel (to the extent that they are ordinarily incident to travel to or from any country)
• Official business of the U.S. government (to the extent the data transactions are for the conduct of the official business of the U.S. government by employees, grantees, or contractors, and transactions conducted pursuant to a grant, contract, or other agreement entered into with the U.S. government).
• Financial services (to the extent that they are ordinarily incident to and part of the provision of financial services).
• Corporate group transactions (including data transactions between a U.S. person and a subsidiary or affiliate in a country of concern, as long as they are ordinarily incident to and part of administrative or ancillary business operations, but not including data transactions involving government-related data and bulk U.S. sensitive personal data with foreign subsidiaries of U.S. companies in a country of concern for research and development purposes).
• Transactions required or authorized by federal law or international agreements, or necessary for compliance with federal law.
• Investment agreements subject to a Committee on Foreign Investment in the United States (CFIUS) action.
• Telecommunications services (other than those involving data brokerage, to the extent that they are ordinarily incident to and part of the provision of financial services).
• Drug, biological product, and medical device authorizations (data transactions involving “regulatory approval data” that is necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device, or combination product, if certain reporting and recordkeeping requirements are met).
• Other clinical investigations and post-marketing surveillance data (to the extent they are ordinarily incident to and part of certain clinical investigations regulated by the U.S. Food and Drug Administration or the collection and processing of clinical care data indicating real-world performance or safety of products or post-marketing surveillance data). 

Please note that, unlike other data privacy laws (e.g., GDPR), there is no consent-based exemption allowing U.S. persons to consent to a company using its data for prohibited or restricted purposes.

Key Compliance Obligations: Company Actions 

Know your Data: the NSD expects companies that are subject to the DSP to "know their data." This means conducting a thorough inventory of: (a) the kinds and volumes of data the company collects, processes, and stores on U.S. persons or U.S. devices; (b) how the company uses the data; (c) whether the company engages in covered data transactions; and (d) how such data is marketed, particularly with respect to current or recent former employees or contractors, or former senior officials, of the United States government, including the military and Intelligence Community. 

Due diligence: Companies need to verify that their partners, service providers, and contractors do not have prohibited connections to "countries of concern" or "covered persons." This is not a one-time confirmation — it is an ongoing obligation that requires regular monitoring and updating as business relationships evolve. 

Data Compliance Program: In order to engage in "restricted transactions," companies also need to implement a written, annually certified data compliance program that complies with the security restrictions discussed above in connection with "restricted transactions." 

Recordkeeping: Companies need to maintain detailed records of their data handling practices, compliance measures, and any transactions that might implicate the program's restrictions (e.g., "restricted transactions") for a period of ten (10) years after the date of such a transaction. Such records should be easily auditable and meet certain requirements, such as annual certification by the company.  

Audit: Companies need to conduct regular assessments of their compliance program. These audits need to be conducted by qualified professionals and must examine both technical safeguards and your administrative controls. Audits must be performed once for each calendar year in which a restricted transaction occurs and must cover the 12 preceding months. 

Reporting: Under the DSP, the NSD may also require, from time to time, and at any time required by DOJ, certain reports and complete information relative to any act or transaction or covered data transaction, that must be furnished under oath. Additionally, commencing on October 6, 2025: (a) any U.S. person that receives and rejects a prohibited transaction involving data brokerage must report it within 14 days of the rejection; and (b) any "restricted transactions" involving cloud-computing services must also be reported annually where 25% or more of the U.S. person’s equity interests is owned by a "country of concern" or "covered person." 

Understanding the Risks: Penalties

The risks associated with non-compliance with the Data Security Program extend far beyond traditional regulatory penalties. Because this program is grounded in national security law, violations can carry severe consequences, including substantial civil and criminal penalties, and restrictions on a company's ability to conduct business. 

Civil penalties can range up to the greater of $368,136 or twice the value of the transaction. Criminal penalties for willful violations may result in up to 20 years in prison and a $1,000,000 fine. 

Perhaps more importantly, non-compliance can expose your business to reputational damage and loss of business opportunities. As awareness of the program grows, many organizations — particularly those with government contracts or security-sensitive operations — may require their partners and suppliers to demonstrate compliance with the DSP. 

There's also the risk of inadvertent violations. The program's broad scope and complex requirements mean that seemingly routine business activities could trigger compliance obligations. For example, using a cloud service provider with foreign subsidiaries, partnering with a company that has foreign investors, or even hiring employees with certain foreign connections could create compliance issues.