October 6: The Day U.S. Data Security Rules Get Real

US Department of JusticeData SecurityTechnology Risk ManagementIRM
Written By Samantha "Sam" Jones

Today marks a turning point for every organization that handles large volumes of U.S. personal or government-related data. The Department of Justice’s Data Security Program (DSP), authorized under Executive Order 14117, officially moves from guidance to enforcement. Starting October 6, 2025, companies that share sensitive U.S. data with foreign partners must have a written compliance program in place or face potential penalties. The rule is designed to stop bulk transfers of Americans’ sensitive information to countries that the U.S. deems national security risks.

Why This Day Matters

Since April, businesses have been on notice that new limits were coming. The DOJ allowed a short grace period to help organizations map their data, update contracts, and build internal controls. That grace period ends today. From this point forward, companies must prove they know where their data lives, who has access to it, and how it is protected when shared across borders.

What the Rule Covers

The DOJ rule restricts the transfer of “covered data”—a broad category that includes personal identifiers, health information, genetic data, financial details, biometrics, and precise location data. Even data that has been anonymized or encrypted can still qualify if it can be linked back to individuals or used to infer sensitive insights.Transfers of this data to countries of concern—including China, Russia, Iran, North Korea, Cuba, and Venezuela—are either fully prohibited or heavily restricted. Businesses connected to those jurisdictions must now show active oversight and audit trails for any continuing data relationships.

Two Levels of Restriction

  • Prohibited transactions: Full stop. No transfers, no licenses, no exceptions.

  • Restricted transactions: Permitted only if companies meet the DOJ’s due-diligence, audit, and reporting requirements.

To remain compliant, organizations must document each data exchange, confirm counterparty ownership, assess foreign risk exposure, and perform annual audits beginning now.

Practical Implications

The new rule reshapes how U.S. organizations use global data infrastructure. Many companies will need to:

  1. Map their data flows and identify where sensitive categories reside.

  2. Evaluate foreign vendors and cloud services for jurisdictional exposure.

  3. Update contracts to include new data-handling clauses.

  4. Establish governance and reporting frameworks consistent with DOJ guidance.

  5. Train employees on identifying restricted transactions before they occur.

Failure to comply can lead to civil or criminal enforcement, but the larger consequence is loss of trust and reputation.

A Broader Shift

The Data Security Program signals a new alignment between data privacy and national security. What began as a technical compliance issue now represents a deeper challenge: how to manage data responsibly in a world where digital and geopolitical boundaries overlap. For business leaders, today’s milestone is not just about checking a box. It is about redefining what responsible data stewardship means in an era where privacy protection has become a matter of national defense.

The Wheelhouse View: Resilience and Compliance in Focus

From an Integrated Risk Management (IRM) perspective, the DOJ’s Data Security Program underscores the “Resilience” and “Compliance” objectives within the IRM Navigator™ Model. Resilience demands that organizations anticipate and adapt to national-level shifts in data governance, while Compliance ensures that security and privacy obligations are translated into verifiable, auditable action.

The lesson for risk leaders is clear: regulatory compliance is no longer a back-office control. It is a front-line defense mechanism that directly shapes operational resilience and national trust.

Source references

  1. U.S. Department of Justice, Data Security Program Final Rule, April 8 2025 – justice.gov/nsd/data-security

  2. Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern, February 28 2024 – whitehouse.gov/briefing-room/presidential-actions

  3. U.S. Department of Justice, Press Release: DOJ Implements Critical National Security Program, April 8 2025 – justice.gov/opa/pr

  4. White & Case, DOJ Issues Final Rule on Bulk Sensitive Data Transfers, April 2025

  5. Greenberg Traurig, Incoming Deadlines and Requirements for DOJ’s Data Security Program, October 2025

Samantha "Sam" Jones

Samantha “Sam” Jones is the lead research analyst for the IRM Navigator™ series and a core contributor to The RiskTech Journal and The RTJ Bridge. As a digital editorial analyst, she specializes in interpreting vendor strategy, market evolution, and the convergence of technology with enterprise risk practices.

As part of Wheelhouse’s AI-enhanced advisory team, Sam applies advanced analytical tooling and editorial synthesis to help decode the structural changes shaping the risk management landscape.

Next

Executive Comparison of AI Governance Frameworks for Risk & Compliance