Townsend L. Bourne of Sheppard, Mullin, Richter & Hampton LLP writes:
The U.S. Department of Justice (DOJ)’s new data security rule went into effect April 8, 2025. The rule creates what are effectively export controls and requires companies to take measures to prevent U.S. sensitive personal and government-related data from falling into the hands of foreign adversaries. The rule targets transactions (including data brokerage, vendor agreements, employment agreements, and investment agreements) involving access to bulk sensitive personal data or government-related data when those transactions involve identified covered persons or countries of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela).
On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, a Frequently Asked Questions (FAQs) document, and its Implementation and Enforcement Policy, offering critical clarity on how it will assess compliance and approach enforcement of the rule. One of the most significant elements of the policy is the DOJ’s announcement of a 90-day grace period (between April 8, 2025 and July 8, 2025) for companies making good faith efforts to comply (willful violations may still be pursued).This grace period is intended to encourage early cooperation and foster a compliance-first mindset across industries.
Read more at The National Law Review.