As if legal and compliance professionals had enough responsibilities on their plates, DOJ dropped another shoe (to join the tariffs, sanctions and export controls, and immigration issues) and upped the stakes for ethics and compliance programs. DOJ dropped a comprehensive set of new regulations governing data security and gave companies a 90-day head start — once we get to July 8, 2025, DOJ warned that the enforcement games begin. 

While these dates and statements should have hit everyone hard, the reality is that DOJ will take its time to implement a mature and aggressive enforcement regime.  In the absence of a blatant and knowing violation, DOJ will exercise some discretion in recognition of the significant burden placed on global companies.

In yet another acknowledgement that 2025 may be a steady ramping effort, DOJ noted another deadline, October 6, 2025 for U.S. individuals and companies to conduct specific due diligence and audit requirements as part of an overall compliance regime.

In its April 11, 2025 announcement package, DOJ included guidance on a DSP compliance program.  Aside from the well-known elements of a DSP compliance program, DOJ explained that due diligence programs should be applied to company vendors pursuant to a written policy along with required cybersecurity policies.  Further, DOJ noted that companies should conduct an independent annual audit to ensure overall effectiveness of the compliance program.

At the core of compliance requirements is the company’s obligation to know its data — what types, where stored and maintained, and what security overlay exists to protect the data from cyber-attacks and other possible breaches. Data compliance programs have to include risk-based procedures to verify data transactions, including the types and volumes of data involved in the transactions, the identity of the transaction parties, and the end-use of the data. Most importantly, DOJ expects companies U.S. individuals and entities to take reasonable steps to know their data, especially when dealing in bulk U.S. sensitive personal data and/or government-related data. Companies have to track data transactions (external and internal) and monitor categories and bulk numbers.

U.S. companies that conduct data transactions involving cloud-computing services will be required to file an annual report if a percentage threshold is reached — 25% or more of U.S. person’s equity interest are owned by country of concern or covered person.

The DSP rules are comprehensive and raise some potential issues governing a range of data transactions, including intra-company transfers resulting in data sharing with employees.

Add to the mix a host of recordkeeping requirements, and you have a new and robust DSP compliance requirement.  U.S. persons have to preserve records for 10 years, and specific requirements govern restricted transactions and other basic records. DOJ has the authority to request reports on any act, transaction or covered data transaction.

U.S. persons and companies are not required to aggregate or decrypt their information to comply with “know your data” requirements. Entities that use certain categories of data usually have access to user statistics to estimate the number of impacted individuals for the purposes of identifying whether a particular transaction meets the bulk threshold. Given that the bulk thresholds are built around order-of magnitude evaluations of the quantity of user data, it is reasonable for entities to conduct similar order-of-magnitude-based assessments of their data and transactions for DSP compliance purposes. 

The stakes for DSP compliance will be very high, especially given the designation of China as a “country of concern.”  For companies that operate in China, DSP compliance must be an immediate focus.  To address these risks, companies should:

         1.      Design and implement DSP compliance policy with buy-in and support from leadership.

         2.      Identify and assess all of its data to ensure that it knows the type and location of all of its data.  Once understood, companies have to map the internal and external flow of data, including the countries and then vendors, third-parties, employment, and financial agreements.

         3.      Incorporate a data security analysis with a keen eye on DSP risks — countries of concern, covered persons, sensitive personal and government data, and potential prohibited and restricted transactions (again internal and external).   For those companies facing DSP risks, compliance with cybersecurity standards will be critical. 

         4.      Incorporate robust due diligence requirements to identify all parties to a data transaction, ascertain the status as a restricted or prohibited transaction by identifying the parties to the transaction and the ultimate user of the data.

         5.       Define reporting requirements, recordkeeping preservation procedures, monitoring and audit procedures. 

         6.      Prioritize DSP training as a new and important add-on to current training curriculum.

         7.      Appoint a qualified data security professional to lead the compliance program and administer each element.

         As an important reminder, the data security officer should report directly to the CCO or CIO and ultimately to the Compliance Committee.

To all compliance professionals, we have heard DOJ and the race against time has now begun.  Good luck everyone!!!!!