The Department of Justice’s Data Security Program entered into force in April, but it won’t be enforced against companies that are working in good faith to comply—for now. Companies need to capitalize on this temporary delay because DOJ expects full compliance by July 8.
The DSP is a significant, comprehensive data regulatory regime requiring US companies to ensure sensitive data isn’t accessible to countries of concern such as China or to covered persons such as foreign companies owned or controlled by entities or individuals in a country of concern.
US companies should keep the following insights in mind while working to achieve compliance over the next 90 days.
The DSP may apply even if you don’t have operations or business partners in a country of concern. US companies that engage in data brokerage transactions with foreign, non-covered companies are expected to contractually prohibit the onward transfer of covered data to countries of concern or covered persons and report violations to the DOJ.
The regulations also could apply to transactions between US persons if a transaction is used to evade the regulations, such as where the sender knows or has reason to believe the US recipient will send covered data to covered persons.
The DSP defines terms differently than other privacy contexts. Key definitions are broad, and ambiguities remain as to how they will be interpreted, so companies shouldn’t assume they are out of scope and should carefully assess how the DSP applies to them:
- Access: DOJ guidance emphasizes that implementation of the DSP’s Cybersecurity and Infrastructure Security Agency security requirements doesn’t exempt a transaction from the regulations, but it isn’t clear whether existing security controls are relevant to an analysis of data “access.” This distinction is meaningful because it could determine whether the regulations apply at all.
- Data Brokerage: These transactions include “the sale of data, licensing of access to data, or similar commercial transactions,” which the DOJ confirmed to include both first- and third-party data brokers. First-party data brokerage could include data transfers between corporate affiliates. This term is defined more broadly than “data broker” activities in state data broker laws.
- Sensitive Data: Unlike most data privacy laws, the regulations also apply to “sensitive personal data” that was anonymized or de-identified.
DOJ expects oversight by top executives and the board. Compliance with the DSP is an enterprise risk management function requiring oversight by senior leadership. For example, the CEO, board, and audit committee are expected to review the DSP annual audit report. The CEO should consult with the chief compliance officer and other appropriate stakeholders to verify statements in the annual certification about the compliance program, due diligence, security requirements, and audit.
The exemptions are nuanced and may impose additional compliance requirements. Assessing applicability of the regulations requires a fact-gathering exercise and potentially an entity-by-entity analysis, such as which subsidiary provides access to which business partner for what purposes.
Exemptions also are limited by design and often require a “deep dive” into the data flows and purpose of the transaction to determine applicability. Companies that rely upon exemptions should document their analysis, and certain exemptions (such as drug authorization and clinical investigations) have specific recordkeeping requirements.
Know Your Data. US persons need to know the kinds and volume of data collected as well as where and how it’s stored and used. The DOJ expects US companies to take reasonable steps to ascertain this information when dealing in covered data, including by implementing robust data compliance programs with risk-based procedures. Traditional approaches to data mapping may need to be augmented.
Know Your Vendors and Customers. US companies are expected to understand vendor ownership and geographic location. US companies engaged in data brokerage transactions should take reasonable steps to evaluate counterparties’ status to assess if additional steps are required.
For example, US organizations engaged in data brokerage with foreign business partners must contractually prohibit the onward transfer of relevant data to a covered person. This requires companies to know their business partners and assess how their relationships will be viewed under the regulations.
The DOJ has not prescribed or endorsed any specific method to screen counterparties, but the company’s procedures must be reasonable. Importantly, contractual representations alone aren’t enough; companies must bolster any contractual limitations with risk-based procedures to conduct adequate diligence.
The regulations’ security requirements go beyond industry-standard frameworks. Although the regulations’ security requirements are based upon industry frameworks (such as the NIST cybersecurity framework), they often go beyond these standards. Consequently, adhering to an industry framework doesn’t mean you meet the DSP security requirements, so companies should determine what additional controls may be needed to comply.
Your compliance status may be questioned. US companies can expect to receive questions, contractual amendments, and requests for representations from vendors and counterparties about their compliance and operations (or lack thereof) in covered countries.
Even businesses that aren’t subject to the regulations may need to respond to counterparties’ requests. US companies should think ahead about their compliance status and be prepared to address and explain their position.
Update your compliance program to account for your risk profile. An appropriate compliance program is based on a company’s individualized risk profile and depends on a variety of factors. Policies, procedures, and internal controls must be implemented and/or tailored to address the regulations, including policies describing the compliance program and implementation of security requirements.
Although not required in the DSP, the DOJ encouraged employee training, ongoing risk assessments, and internal controls to facilitate escalation and reporting.
Companies engaged in restricted transactions also need to prepare for annual audit and recordkeeping requirements. Failing to adopt and maintain adequate data compliance policies and procedures risks violating the regulations and may be an aggravating factor in enforcement actions.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Kaylee Cox Bankston is partner in Morrison Foerster’s privacy and data security group.
Joseph Folio is partner in Morrison Foerster’s global antitrust law, crisis management, and privacy and data security groups.
Joshua R. Fattal is an associate in Morrison Foerster’s privacy and data security group.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.