Starting July 8, 2025, U.S. companies handling sensitive personal or government-related data will face a powerful new enforcement regime from the Department of Justice.

In this article for Law360, Christian R. Everdell and Marvin J. Lowenthal explain the sweeping implications of the DOJ’s new Data Security Program (DSP), enacted under Executive Order 14117. The DSP empowers the DOJ to pursue civil and criminal actions against U.S. entities that allow access to sensitive data by foreign adversaries through certain transactions like data brokerage, vendor agreements, and foreign investments.

With the 90-day enforcement grace period ending, the authors break down the key definitions, potential pitfalls, and compliance strategies companies need to understand to avoid becoming early enforcement targets.