AMARILLO, TX – The Department of Justice’s (DOJ) National Security Division (NSD) created a Data Security Program: Compliance Guide, April 11, 2025, to assist individuals and companies in complying with the rules implemented by the Data Security Program (DSP).

The DSP aims to protect U.S. Government-related data and Americans’ sensitive personal data from foreign adversaries that might exploit this information for malicious purposes. Essentially, the DSP acts as a security guard for sensitive data, ensuring it does not fall into the wrong hands.

These changes come after the NSD published a final rule that implemented Executive Order 4117 (the Order) and codified 28 CFR Part 202 (Part 202). Part 202 prohibits or restricts certain “covered data transactions” that could give certain countries of concern or covered persons direct or indirect access to bulk sensitive information like health, biometric, financial, genomic, or geolocation data, as well as data tied to U.S. government personnel or facilities.

A “covered data transaction” is any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involves data brokerage, a vendor agreement, an employment agreement, or an investment agreement. The rule defines key terms, sets volume thresholds for what counts as “bulk” data, outlines exemptions, and authorizes enforcement through investigation, licensing, and penalties. It works alongside other national security authorities to prevent the exploitation of U.S. data for activities deemed adverse to national security.

As of April 8, 2025, entities and individuals are required to comply with the DSP’s prohibitions and restrictions, and with all other provisions of the DSP, except the affirmative obligations of subpart J (related to due diligence and audit requirements for restricted transactions), § 202.1103 (related to reporting requirements for certain restricted transactions), and § 202.1104 (related to reports on rejected prohibited transactions).

Starting October 6, 2025, entities and individuals must comply with subpart J and 28 CFR §§ 202.1103 and 202.1104.  Subpart J contains due diligence and audit requirements. 28 CFR § 202.1103 contains an annual reporting requirement. It details the who, what, when, and where of the reporting requirement.

The annual report must be filed by any U.S. person that engaged in a restricted transaction involving cloud computing services, and that has 25% or more of the U.S. person’s equity interests owned by a country of concern or covered person. The primary responsibility is with the actual U.S. person who filed the report. The report is due annually, as of December 31 of the previous year and March 1 of the subsequent year, when data transactions are engaged. The specific contents of the report are contained in subparagraph (d).

28 CFR § 202.1104 imposes an obligation to file a report on rejected prohibited transactions. The report must be filed within 14 days of rejecting the transaction that is prohibited by the rule. Subparagraph (c) contains the specific information that must be in the report.

The DSP was established to address the ongoing threats posed by foreign adversaries that use commercial activities to access and weaponize sensitive data. The program sets out regulations that prohibit or restrict certain transactions involving U.S. persons and foreign entities. These regulations are designed to prevent foreign adversaries from gaining access to data that could harm U.S. national security.

The DSP focuses on covered data transactions that involve any access by a country of concern or covered person to government-related data or bulk U.S. sensitive personal data. The DSP specifically identifies China, North Korea, Cuba, Russia, Iran, and Venezuela as countries of concern.

A country of concern is a country that has demonstrated an intent and capability to use U.S. Government related data and Americans’ sensitive personal data to threaten U.S. national security, including espionage and economic espionage, surveillance, coercion and influence, blackmail, foreign malign influence, curbing dissent by U.S. persons, targeting journalists, political figures, members of marginalized communities, and other populations, and engaging in nefarious, cyber enabled activities.

To enforce these regulations, the DSP establishes penalties for individuals or entities that attempt to evade the program’s restrictions. This means that anyone who tries to bypass the rules can face criminal or civil penalties. The goal is to ensure that everyone complies with the DSP and that sensitive data remains protected.

Under the DSP, U.S. persons and entities are required to “know their data,” which means understanding what data they collect, how they use it, and whether their activities fall under the DSP’s regulations. This ensures that companies are aware of their responsibilities and take the necessary steps to protect sensitive data.

Additionally, the DSP includes specific provisions for different types of data transactions, such as data brokerage, vendor agreements, and employment agreements. These provisions outline the rules and restrictions for each type of transaction, ensuring that all potential avenues for data misuse are covered. For instance, data brokerage transactions involving bulk U.S. sensitive personal data are strictly regulated to prevent unauthorized access.

 Key Takeaways For DME Companies

• DME companies often handle sensitive personal data, including health information, which falls under the category of bulk U.S. sensitive personal data. Foreign adversaries could exploit this data for malicious purposes, such as espionage or coercion. Therefore, DME companies must comply with the DSP’s regulations to prevent such exploitation.
• DME companies must be vigilant in their transactions and partnerships, ensuring that they do not inadvertently share sensitive data with entities from these countries.
• One of the key aspects of the DSP is the regulation of “covered data transactions,” which include data brokerage, vendor agreements, and employment agreements. For DME companies, this means that any transaction involving the transfer of sensitive personal data must be carefully monitored and regulated to prevent unauthorized access by foreign entities.
• DME companies must ensure that their employees and partners are aware of these regulations and comply with them to avoid potential criminal or civil penalties.
• DME companies must “know their data,” including understanding what data they collect, how they use it, and whether their activities fall under the DSP’s regulations. This helps ensure that they take the necessary steps to protect sensitive data and comply with the program.

In summary, the DSP requires DME companies to implement robust data security measures, conduct thorough due diligence, and comply with regulations to protect sensitive personal data from foreign adversaries. By doing so, they help safeguard U.S. national security and maintain the trust of their customers. 

Jeffrey S. Baird, Esq. is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Texas with a national healthcare practice. He represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected]. 

Jacque K. Steelman, Esq. is a member of the Health Care Group at Brown & Fortunato, PC, a law firm with a national healthcare practice based in Texas. She represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Ms. Steelman can be reached at (972) 684-5789 or [email protected].