Resource Center / Tools and Trackers / Data Security Program Cheat Sheet

 

Data Security Program Cheat Sheet

This resource provides an overview of the U.S. Data Security Program, which establishes controls to prevent foreign adversaries from accessing sensitive U.S. data.


Published: July 2025


Contributors:


View as Infographic (PDF)

Navigate Cheat Sheet

The U.S. Department of Justice's final rule on protecting Americans' sensitive data took effect on 8 April 2025. The Data Security Program was adopted pursuant to Executive Order 14117 and is implemented by the DOJ's National Security Division. The DSP establishes controls to prevent foreign adversaries, and those subject to their control and direction, from accessing bulk U.S. sensitive personal data and U.S. government-related data.

This cheat sheet provides an overview of the DSP. The IAPP additionally published this article on preparing for the DSP, and the IAPP Resource Center hosts a Cybersecurity Law topic page, which regularly updates with the latest relevant news and resources.

Data Security Program Cheat Sheet

This resource is also available as an infographic in PDF format, accessible here.

Authority, Regulation, Effective Date


Scope

The Data Security Program applies to any U.S. person that engages in transactions involving U.S. sensitive personal data or U.S. government-related data, and when there is a potential for access by covered persons or countries of concern.

A transaction is within the scope of the rule if:

It involves any access by a country of concern or covered person to any bulk U.S. sensitive personal data or government-related data.

It involves:

  • Data brokerage
  • Vendor agreements
  • Employment agreements
  • Investment agreements

Access means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment or software.

Currently, there are six designated countries of concern:

  • China (including Hong Kong and Macau)
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Venezuela

Selected Definitions

  • expand_more

  • expand_more

  • expand_more

  • expand_more

  • expand_more

  • expand_more


Transaction Types

  • expand_more

  • expand_more

  • expand_more


Thresholds For Bulk Data

Sensitive personal data means human genomic and other human `omic data, biometric identifiers, precise geolocation data, personal financial data, personal health data, covered personal identifiers or any combination thereof. “Bulk” sensitive personal data is defined by numerical thresholds. The thresholds apply over any 12-month period and may be met through a single transaction or multiple related transactions.

Data Type
Bulk Threshold
Data Type:

Human genomic data

Bulk Threshold:

More than 100 U.S. persons

Data Type:

Human `omic data (§ 202.224)

Bulk Threshold:

More than 1,000 U.S. persons

Data Type:

Biometric identifiers (§ 202.204)

Bulk Threshold:

More than 1,000 U.S. persons

Data Type:

Precise geolocation data (§ 202.242)

Bulk Threshold:

More than 1,000 U.S. devices

Data Type:

Personal financial data (§ 202.240)

Bulk Threshold:

More than 10,000 U.S. persons

Data Type:

Personal health data (§ 202.241)

Bulk Threshold:

More than 10,000 U.S. persons

Data Type:

Covered personal identifiers (§ 202.212)

Bulk Threshold:

More than 100,000 U.S. persons

Data Type:

Combined Data (§ 202.205(g))

Bulk Threshold:

Aggregate for the lowest number of U.S. persons or U.S. devices in that category of data


Exemptions

Several categories of transactions are exempt from all or parts of the DSP. Notable exemptions include:

  • Personal communications, such as email or phone calls, not involving the transfer of anything of value (§ 202.501).
  • The import or export of information or informational materials (§ 202.502).
  • Activities conducted on behalf of the U.S. government or required by federal law (§§ 202.504, 202.507).
  • Data transactions ordinarily incident to and part of the provision of financial services (§ 202.505) or telecommunications service (§ 202.509).
  • Corporate group transactions (§ 202.506).
  • Investment agreements subject to a Committee on Foreign Investment in the United States action (§ 202.508).
  • Drug, biological product and medical device authorizations (§ 202.510).
  • Medical research or clinical trials that fall under certain regulatory frameworks (§§ 202.510511).

Compliance, Recordkeeping and Reporting Obligations

U.S. persons engaging in restricted transactions must implement robust compliance measures including:

U.S. persons must maintain detailed records of restricted and prohibited transactions, internal controls and due diligence efforts. U.S. persons must also:

  • Submit annual reports to the DOJ summarizing covered transactions (§ 202.1103).
  • Report if they have received and affirmatively rejected any offer from another person to engage in a prohibited transaction involving data brokerage (§ 202.1104).
  • Provide additional documentation if requested by the DOJ (§ 202.1102).

Licensing

The DOJ provides two mechanisms for permitting otherwise restricted transactions:

  1. General licenses, which authorize a broad class of transactions, may be published by the DOJ (§ 202.801).
  2. A specific license applies to a particular transaction and must be requested by submitting an application to the DOJ (§ 202.802).

Enforcement

The DOJ is responsible for enforcing this rule and may take action through:

  1. Civil penalties, including fines up to USD 368,136 or twice the amount of the transaction that is the basis of the violation, whichever is greater.
  2. Criminal penalties: up to 20 years’ imprisonment and a fine of up to USD 1 million for a person who willfully commits, willfully attempts to commit, willfully conspires to commit, or aids or abets in the commission of a violation.

Additional resources



Approved
AIGP, CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/CN, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 3

Submit for CPEs