The Department of Justice has released new guidance, frequently asked questions and an enforcement policy to facilitate the implementation of a national security program that seeks to prevent foreign adversaries from accessing and exploiting U.S. government-related data and bulk sensitive personal data.
DOJ said Friday the National Security Division, or NSD, implements the Data Security Program to prevent Russia, China, Iran and other countries of concern from gaining access to U.S. government data and Americans’ sensitive personal information. This is to prevent them from conducting surveillance and counterintelligence, building AI and military capabilities and performing espionage and other activities that undermine U.S. national security.
The DOJ in December issued a final rule to implement a regulatory program aimed at addressing potential national security threats resulting from foreign adversaries’ malicious use of sensitive data. This was part of the department’s compliance with an executive order.
Data Security Program Compliance Guide
The compliance guide describes best practices for complying with the Data Security Program, which took effect on April 8. It offers guidance on key definitions and the requirements for establishing a robust data compliance program.
The document also offers information on prohibited and restricted transactions, provides model contractual language and recommends best practices for complying with the program’s recordkeeping and audit requirements.
Meanwhile, the FAQs provide information on processes for requesting licenses and advisory opinions, reporting rejected transactions and disclosing program violations.
Implementation & Enforcement Policy
Under the implementation and enforcement policy, NSD will not prioritize civil enforcement actions against any individual for violations of the Data Security Program that occur from April through July 8, provided that the person engages in efforts to comply with the program. NSD expects individuals and entities to be in full compliance with the program at the end of the 90-day period.
The policy also delays certain affirmative due-diligence obligations, which do not go into effect until Oct. 6, to provide entities and individuals more time to comply with the program.
