What the DOJ’s New Data Security Rule Means for U.S. Companies: Key Steps to Take During the 90-Day Grace Period

What the DOJ’s New Data Security Rule Means for U.S. Companies: Key Steps to Take During the 90-Day Grace Period

The U.S. Department of Justice (DOJ) has recently enacted a pivotal data security rule, effective April 8, 2025, aimed at safeguarding sensitive personal and government-related data from foreign adversaries. This regulation introduces stringent export controls, particularly focusing on transactions involving countries of concern such as China, Russia, Iran, North Korea, Cuba, and Venezuela.

Why This Topic Is Timely

With the rule being newly implemented, companies are currently in a 90-day grace period, lasting until July 8, 2025. This period allows organizations to align their practices with the new requirements without facing enforcement actions, provided they demonstrate good faith efforts. The DOJ has also issued a Compliance Guide and FAQs to assist businesses in understanding and adhering to these new standards.

Summary of the DOJ’s New Data Security Rule

The rule applies to a broad spectrum of business activities, including data brokerage, vendor agreements, employment, and investment contracts. It is crucial for companies to understand which countries are deemed “of concern” and how this impacts their operations.

What the 90-Day Grace Period Means

During this grace period, companies have the opportunity to thoroughly review and update their data handling practices. This window is critical for ensuring compliance and avoiding potential penalties.

Practical Steps for Compliance

To comply with the DOJ’s new rule, companies should focus on the following steps:

• Review Vendor Relationships: Ensure that all third-party vendors comply with the new data security standards.
• Update Contracts: Modify existing contracts to reflect the new compliance requirements.
• Enhance Data Security Protocols: Implement robust data protection measures to safeguard sensitive information.

Potential Risks and Penalties

Post-grace period, companies that fail to comply may face significant penalties. It is essential to understand the risks associated with willful non-compliance and take proactive measures to mitigate them.

Actionable Checklist

Here is a simple checklist for organizations to follow during the grace period:

1. Conduct a comprehensive audit of current data handling practices.
2. Update all relevant contracts and agreements.
3. Train staff on new compliance requirements.
4. Implement enhanced data security measures.
5. Regularly review and update compliance strategies.

Other Links on the Web

• Proposed State Privacy Law Update - April 21, 2025
• Public Consultations on Data Protection Impact Assessments
• QNAP Strengthens Data Protection in Healthcare for HIPAA Compliance
• Tech Intelligence: Protecting the Digital Future
• DOJ Announces 90-Day Grace Period for Companies to Comply with New Data Security Rules