Sensitive Data Rule Ushers in Strict New Era of Compliance and National Security Controls

The US Department of Justice’s full enforcement of the Sensitive Data Rule (SDR) as of July 9, 2025, represents a sharp pivot in national data governance. In an article by the Constangy firm, attorneys Steven Morris, Anna Schall Kreamer, and Ryan Steidl explain that the SDR, rooted in President Biden’s Executive Order 14117, goes beyond traditional data privacy. It positions cross-border data sharing as a national security risk and mandates new restrictions on how US sensitive personal and government-related data is accessed or transmitted.

The DOJ’s Data Security Program establishes tight controls, especially on bulk data transactions involving “covered persons” or “countries of concern,” including China, Russia, Iran, and others. Notably, the rule captures even anonymized or encrypted datasets if thresholds, such as 100,000 covered identifiers or 10,000 health records, are met. Restrictions extend to data brokers, employment and vendor agreements, and human biological data, among other categories.

As of October 6, organizations must fully comply with affirmative obligations like due diligence, annual audits, detailed reporting, and executive-level certifications. Penalties for violations are steep, with civil fines reaching $368,136 per incident and criminal charges carrying up to $1 million in fines and 20 years in prison.

For compliance professionals, the Sensitive Data Rule raises the stakes significantly. It requires data mapping, stringent third-party vetting, updated contracts, employee training, and audit preparedness. The authors emphasize that this regulation is not static; with future advisory opinions and CISA standard changes anticipated, organizations must treat SDR compliance as a continuous process. Staying ahead of regulatory developments will be essential in navigating this new, security-driven data landscape.