On April 11, 2025, the U.S. Department of Justice’s National Security Division (NSD) issued a Compliance Guide to provide additional information to assist companies and individuals in complying with the NSD’s Data Security Program (DSP).
The DSP, implemented by the NSD in February 2024 pursuant to Executive Order 14117, is a program designed to prevent foreign adversaries from using commercially-available Covered Data to undermine national security. Covered Data includes U.S. government-related data and U.S. private citizens’ sensitive personal data, such as bulk genomic, geolocation, biometric, health, and financial data. The DSP establishes controls that prevent the export of Covered Data to foreign adversaries and those subject to their control.
Data transactions covered by the DSP include data brokerage agreements, vendor agreements, employment agreements, and investment agreements that may contain Covered Data. U.S. persons may not knowingly engage in a Covered Data transaction with a covered person or any country of concern unless the U.S. person complies with all applicable DSP requirements. These include heightened data security requirements, implementation of a data compliance program, performance of annual audits, and compliance with certain recordkeeping requirements.
The DSP program went into effect on April 8, 2025, but the NSD has broadly delayed civil enforcement until July 8, 2025, to provide additional time for entities and individuals to come into compliance (as long as good faith efforts to comply are being made). Please reach out to us if you have questions about your company’s compliance with the DSP program.
[View source.]
