U.S. companies who do business overseas now have another worry to add to their compliance list:  the Data Security Program (DPS). The DPS is a program implemented under the International Emergency Economic Powers Act (IEEPA) and enforced by the U.S. Department of Justice (DOJ)’s National Security Division (NSD). It is aimed at “prevent[ing] China, Russia, Iran, and other foreign adversaries from using commercial activities to access and exploit U.S. government-related data and Americans’ sensitive personal data to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine our national security.”

According to a DOJ press release dated April 11, 2025, the DPS is the result of Executive Order 14117, issued on February 28, 2024, by President Biden. The program went into effect on April 8, 2025, but full enforcement was delayed for 90 days to allow entities and individuals to come into compliance. That three-month period has now expired, and although there are certain affirmative due diligence obligations that do not go into effect until October 6, 2025, it is now expected that the DOJ will begin enforcement in earnest.

The DPS is subject to both civil and criminal enforcement, including fines and imprisonment for the most serious violations involving bulk transfers of sensitive personal data to foreign adversaries. Luckily, there are a number of resources available to help companies ensure they are ready to meet this new challenge. The NSD has issued a Compliance Guide, as well as a list of 100 Frequently Asked Questions (FAQ). The full text of the regulations can be found at 28 C.F.R. § 202 and are concerned primarily with preventing the transfer of U.S. government-related data and bulk genomic, geolocation, biometric, health, financial, and other sensitive personal data to China, Cuba, Iran, North Korea, Russia, and Venezuela. Other countries may be added by amendment.

There have already been at least two major prosecutions, one in Massachusetts and the other in the Northern District of Georgia. Both involved North Korean nationals who used false or stolen identities to secure employment with U.S. companies as remote IT workers and stole sensitive data and virtual currency. The schemes included shell companies, fraudulent websites, and laptop farms where the North Korean IT workers could log in and gain access to sensitive data. The North Koreans were assisted by individuals in the U.S., China, United Arab Emirates, and Taiwan, some of whom were also charged. The investigation included searches of multiple laptop farms across 16 states and the seizure of 29 financial accounts and 21 fraudulent websites.

Although the DOJ’s focus thus far has been on the foreign bad actors and their U.S.-based enablers, and although its press release refers to the companies involved as victims, it is clear that the DOJ views compliance with the Data Security Program as the primary means of prevention. Companies should review, implement, and follow the Compliance Guide, which includes recordkeeping and reporting requirements, risk assessments, vendor management and validation, written policies, training, and auditing, as soon as possible. In addition, companies can find detailed answers to more than 100 questions in the Frequently Asked Questions (FAQ).

To kick off its enforcement efforts, the DOJ may soon start serving subpoenas and civil investigative demands (CIDs) on individuals and entities it suspects may not be complying with the DPS. At first, the focus is likely to be on actors the DOJ suspects are willfully ignoring the requirements. However, as time goes by, simple failure to implement a robust data compliance program may be enough to attract unwanted attention. SGR attorneys stand ready to assist in any event.