On April 8, 2025, the U.S. Department of Justice’s final rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the Rule) took effect. Organizations are currently in a grace period for enforcement that ends on July 8, 2025, provided that they use the interim period to make good faith efforts to comply with the Rule.[1]

Although U.S. Federal controls on sensitive data to protect national security interests are nothing new, many companies that operate outside of the U.S. defense industrial base will be subject to the Rule and will face a level of DOJ scrutiny that goes far beyond what they have previously experienced.[2] The range of covered data, how to demonstrate compliance if subjected to DOJ inquiry, and the enforcement penalties (up to and including criminal liability in some circumstances) present challenges and risks that demand the attention of the broad swath of companies implicated by this rule. Measures must be undertaken to evaluate exposure to, and proactively address, this new data security regime.

Operationally, the first step an organization should take to determine whether it is subject to the Rule is to assess:

1. Whether it has sensitive data or government-related data of a type and in volumes that would invoke the Rule, and
2. Whether it engages in any of the Rule-covered transaction types (data brokerage, nonpassive investment, employment agreements or vendor agreements) with countries of concern or covered persons.

If the answer to both of these questions is yes, then the organization should take steps to demonstrate either that none of the covered transaction types with countries of concern or covered persons involve sharing bulk sensitive data or government-related data as defined by the Rule or that if the company does engage in transactions that are restricted or prohibited by the Rule, they are within a Rule-specified exception or otherwise are in full compliance with the Rule’s security requirements and processes for the transaction types.

While data brokerage and nonpassive investment agreements present their own features and challenges, here we will focus on operational considerations for evaluating risk as to employment agreements or vendor agreements.

Employees

For employees, a critical initial question is: Does our organization employ personnel resident in a country of concern? If the answer is yes, an informative next step is a risk-driven analysis of whether, based on each individual’s function/role and logical access, there is risk of access to data of a type covered by the Rule. The risk analysis likely will vary based on the function/role being analyzed. For example, the potential risks of rule exposure for back office personnel likely will be different than risks associated with market-facing personnel.

The results of that risk analysis can inform strategic next steps to mitigate exposure to the Rule or drive development of compliance controls that are responsive to U.S. Government equities and also reasonably business-acceptant. This can include data mapping across systems and applications to which personnel have access in order to identify and mitigate data risk, to restricting the scope of functions/roles in countries of concern to eliminate or substantially mitigate engagement or support for U.S. personnel, clients or services. It is critical that any mitigation approach be informed by operational, financial and strategic business considerations.

Of course, if a business needs to engage in restricted transactions (or approved otherwise-prohibited transactions) as defined by the Rule, then it must implement security measures responsive to Rule requirements. In evaluating how to build out these security controls, it is critical both to implement security controls sufficient as to breadth (fully covers all relevant transactions) and efficacy (effectively provides the requisite security) and to assure that the controls generate documentary evidence that prove the implemented controls are effective. Third parties with experience building data security programs subject to regulator oversight and audit can provide useful support for these exercises.

Third Parties (Vendors/Contractors)

The risk analysis and mitigation considerations for third parties is similar to that for employees, but there are some material differences. Among others, vendors present risk both at the entity level (e.g., location of legal incorporation, headquarters, ownership) and the personnel level (i.e., data access by all vendor personnel providing services to the company). Therefore, both entity and vendor personnel risk need to be addressed effectively.

Additionally, in many cases the data available to a company about its vendor or vendor personnel is likely to be less fulsome than the data the company can demand to collect in connection with any offer of employment. There may be instances where vendors refuse to provide information about the entity or specific vendor personnel necessary to inform analysis under the Rule, and the information is not otherwise available to the company (e.g., through licensed services that support vendor diligence). These additional complexities need to be accounted for in the company’s approach to Rule compliance.

At core, however, many aspects of the analysis remain the same. The initial step is to assure sufficient means to reasonably evaluate current and prospective vendors for whether they implicate covered person- or country-of-concern requirements under the Rule. For those vendors that may present risk, the next step in a risk assessment is to evaluate whether the services provided (e.g., as defined in a scope of work or engagement letter) are of a type that likely would allow the vendor or vendor personnel access to data of a type covered by the Rule.

Any vendors identified as presenting that risk then require further action, either: (i) additional confirmatory steps to validate access to sensitive data covered by the Rule; and/or (ii) assessment of whether there are means to mitigate the impact of the Rule (e.g., through different vendor staffing or through finding a different vendor). Of course, where restricted (or prohibited) transactions cannot be avoided, the above-described considerations related to effectively building the required security controls would be equally applicable.

Conclusion

The Rule imposes a broad and demanding data security compliance regime responsive to a geopolitical shift from a globalized world to one marked by increasing great power competition and spheres of influence. Within that broader context, it would be a mistake to excuse or ignore U.S. Government focus on assuring that the Rule achieves its policy objectives. Companies need to take seriously the evaluation of the Rule’s applicability to their operations and, no matter how that analysis resolves, assure that they have controls and process in place that document and demonstrate compliance in a manner that can be readily proven to DOJ if so requested.

Read Past Raising the Bar Issues