The U.S. Department of Justice (DOJ) has published crucial DOJ Data Security Compliance Tips to assist individuals and businesses in complying with the new national data security program. This program, introduced under the Biden administration, went into effect on April 8, 2025, and aims to safeguard Americans’ sensitive personal data from foreign adversaries, including China, Russia, Iran, and other nations seeking to exploit U.S. data through commercial transactions.
The new program imposes strict data export controls designed to prevent foreign adversaries and entities under their jurisdiction from accessing sensitive U.S. government data and personal information, such as genomic, geolocation, biometric, health, and financial data. These controls will limit foreign entities’ ability to acquire U.S. data, making it harder for adversaries to gain access.
Deputy Attorney General Todd Blanche emphasized that foreign adversaries often seek to purchase U.S. data through market transactions or pressure companies within their jurisdiction to surrender it, rather than conducting complicated cyberattacks. “The data security program makes obtaining that data significantly more difficult,” Blanche stated.
In February 2024, former President Joe Biden signed Executive Order 14117, establishing the new program under the DOJ’s National Security Division (NSD). This move was prompted by concerns about the national security risks posed by data breaches and their impact on U.S. foreign policy. The program addresses the “unusual and extraordinary threat” posed by the potential misuse of sensitive data by foreign adversaries.
To assist the public in navigating the new program, the DOJ has released a “best practices” guide that includes answers to over 100 frequently asked questions. This guide also details the DOJ’s enforcement approach during the first 90 days of the program’s implementation and outlines the steps for requesting licenses and advisory opinions.
“NSD will be taking further steps over the coming weeks to implement the program, including publishing an initial list of persons and entities subject to foreign adversary control,” the DOJ announced.
While the program went into effect on April 8, the DOJ is delaying enforcement of certain due diligence obligations until October 6, 2025, to allow more time for compliance. Additionally, the DOJ will not prioritize civil enforcement actions against individuals or entities who demonstrate good faith efforts to comply with the program between April 8 and July 8, 2025.
The DOJ encourages businesses to amend contracts, review data flows, and implement the security requirements set forth by the Cybersecurity and Infrastructure Security Agency (CISA) to meet compliance standards.
By the end of the 90-day grace period, entities are expected to be fully compliant with the DOJ Data Security Compliance Tips and the broader data security program. However, the DOJ emphasized that failure to engage in good faith efforts could still result in civil enforcement actions.
For further information on the DOJ’s data security program and compliance guidelines, please visit [DOJ website] or refer to the official DOJ Data Security Compliance Tips guide.
