Complying with New DOJ Rule on Sensitive Personal Data

According to a Bloomberg Law article written by attorneys at the Paul Weiss firm, the US Department of Justice (DOJ) has issued a sweeping new rule restricting how companies handle sensitive personal data, and the cybersecurity community must act fast. 

Effective April 8, but with enforcement delayed until July 8, the rule bans or limits US companies from sharing bulk sensitive personal data with individuals or entities from countries deemed foreign adversaries, such as China, Russia, and Iran. 

Civil and criminal penalties, including fines up to $1 million and prison terms up to 20 years, await noncompliant firms. The authors urge companies to use the remaining grace period to assess how the rule affects their data practices and begin the necessary remediation.

Compliance starts with reviewing internal datasets to identify any sensitive personal data, which includes not only expected categories like health and financial information but also data from fitness apps and user login credentials. Companies must also determine whether they possess government-related data, which is subject to heightened scrutiny. If regulated data is identified, businesses must evaluate their exposure through data brokerage agreements, even with non-adversarial foreign entities, and ensure such agreements prohibit access by covered persons.

Further, companies need to assess whether vendors, employees, or investors might inadvertently provide access to adversaries. In these cases, compliance demands more than contractual tweaks; it requires a full data compliance program with written policies, staff training, audits, and due diligence. The DOJ has offered informal guidance ahead of the July 8 deadline, but companies should not rely on extensions.

For cybersecurity professionals, this rule represents both a challenge and a call to action. Now is the time to collaborate with legal, compliance, and data teams to mitigate risk, revise contracts, and implement robust data governance. The cost of delay could be steep and avoidable.