In a recent report, a team of Morgan Lewis lawyers discussed enforcement of the US Department of Justice’s (DOJ’s) Data Security Program (DSP). The report outlines critical considerations for companies and entities that may be affected by the extensive requirements of this national security initiative.
The DOJ’s final rule, implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, went into effect on April 8, 2025. The program aims to mitigate national security threats posed by foreign entities accessing sensitive US personal and government-related data. As of July 8, 2025, the DOJ expects full compliance with the DSP, marking a significant shift in enforcement priorities.
Under the DSP, US persons are prohibited from participating in certain data transactions involving specified countries of concern and designated “covered persons.” In addition, the DSP provides guidance on prohibited and restricted transactions. Prohibited transactions include highly sensitive transactions involving data brokerage; restricted transactions are prohibited except to the extent they comply with additional security requirements promulgated by the Cybersecurity and Infrastructure Security Agency.
Noncompliance with the DSP can result in civil and criminal penalties under the International Emergency Economic Powers Act. Civil penalties can reach up to $368,136 or twice the value of the transaction, while willful violations may lead to criminal prosecution, with fines up to $1 million and imprisonment for up to 20 years.
The DSP's enforcement underscores the importance of proactive compliance measures to mitigate risks associated with data transactions involving countries of concern or covered persons, as identified by the DOJ. Companies should leverage the transition period until October 6, 2025, to update internal policies and establish compliance mechanisms, ensuring readiness for the DSP's ongoing obligations.
Together with our colleagues on the technology, national security, and cybersecurity teams, Tech & Sourcing @ Morgan Lewis will continue to monitor any additional guidance regarding compliance with DSP and its potential impact.
Summer associate Danielle Genovese contributed to this post.