National Security Meets Data Security: Understanding the DOJ’s Bulk Data Rule

As the grace period recently expired on the new U.S. Department of Justice (“DOJ”) rule designed to safeguard sensitive personal and government-related data from foreign adversaries, it is crucial for U.S. entities to take proactive steps to achieve compliance.1 Under Executive Order 14117, DOJ finalized its new Data Security Program (“DSP”), aka the Bulk Data Rule. As of April 8, 2025, U.S. entities must determine their eligibility under the rule, and if eligible, be able to demonstrate that they know where all their data resides. Further, if an entity engages in certain restricted transactions, they will need to have an independent auditor certify compliance with particular security and recordkeeping requirements under the rule.2

This new DOJ rule restricts or bars the transfer of U.S. “bulk” sensitive personal data to countries of concern or covered persons. Bulk data is defined as a “collection or set of sensitive personal data relating to U.S. persons, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.”3

The rule went into effect on April 8, 2025, with a 90-day grace period for enforcement, if organizations demonstrated “good faith” efforts to comply. Organizations found to be in noncompliance after the grace period ended on July 8, 2025, may face civil fines and criminal penalties.4 There is an additional deadline on October 6, 2025, for affirmative obligations regarding due diligence, audit, and recordkeeping requirements.5

With uncertainty regarding how the rule will be interpreted and enforced, developing an understanding of its implications and risks, along with developing a path forward, is key to ensuring meaningful compliance is achieved, and financial and reputational damages are avoided.

National Security Risks

At its core, the Bulk Data Rule is a national security measure, not a traditional data privacy regulation. It represents a growing concern from the U.S. government regarding foreign adversaries gaining access to and exploiting Americans’ sensitive personal data at a large scale. As such, organizations should develop compliance strategies that are similar in approach to those used for other national security-focused regulation, such as sanctions controls or Committee on Foreign Investment in the United States (“CFIUS”) obligations.6

According to DOJ, countries of concern could exploit bulk data on U.S. citizens in a variety of damaging and disruptive ways.7 This includes traditional and economic espionage; surveillance; sabotage and extortion; cyber attacks; and foreign malign influence operations, as well as targeting specific U.S. citizen groups (politicians, journalists, marginalized communities, etc.).

These methods can result in the theft of proprietary information, coercion of individuals in positions of influence, disruption of U.S. critical infrastructure, and the spread of misinformation and disinformation intended to sow division. The broad range of threats highlights why the Bulk Data Rule goes beyond privacy concerns, framing the issue as a matter of national security.

What the Rule Requires

Typical strategies for compliance, such as deidentification and anonymization of data, are not sufficient under the Bulk Data Rule. The framework under the rule is not flexible or risk-weighted, but instead consists of binary, explicit security requirements. In turn, compliance depends on implementing structural changes to data programs, not just on whether the data appears anonymous.

Achieving compliance will also demand varying degrees of verification and documentation processes. For example, the rule contains enhanced “know your data” and recordkeeping requirements, meaning organizations must develop and maintain a clear understanding of what sensitive personal bulk data they possess, where its stored, how it moves through networks and across borders, and who has access. Importantly, this process is not a one-time exercise, it must be continuously reviewed and updated to meet the rule’s expectations regarding national security. Entities are required to maintain their records and be able to produce evidence of compliance when requested by the DOJ. For example, any restricted transaction must be documented, and that record must be retained and made available for review for at least 10 years after the date of the transaction.8

Next Steps

Before determining compliance readiness, organizations need to first understand their internal data map and flows. This includes identifying what data they have and whether it can be considered “sensitive personal data relating to U.S. persons,” where specifically it is going, and who can access this data.

These key questions are best addressed by partnering with technical experts who can assist in evaluating current data systems and identifying associated risks and vulnerabilities. Organizations handling sensitive personal data or covered data face diverse and complex risks, requiring a tailored, practical approach to risk mitigation. Organizations need to undergo holistic assessments that examine the technical, administrative, and governance structures regarding data covered by the DSP. This will disclose cybersecurity gaps that need to be remediated.

A technical partner can also assist with mitigating identified risks by developing and/or implementing fixes and improvements that shore up systems, ensuring that the network has addressed key vulnerabilities. Following an assessment, and working in tandem with the organization and any counsel, the technical partner will identify and provide the most effective mitigation strategies based on the organization’s unique risk profile, leveraging any internal frameworks and resources that exist.

Achieving compliance can be complicated and complex, especially because of the national security framing of the rule. The sooner organizations begin assessing data flows and implementing structural changes, the better positioned they will be to safeguard sensitive personal data, avoid enforcement, and guard against reputational harm resulting from regulatory action.

It is vitally important for organizations to take proactive action. While it is possible the DOJ is already investigating certain corporate entities, organizations that can demonstrate genuine strides towards compliance will be in a stronger posture to resolve any potential enforcement actions.

Footnotes:

1: “Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries”, U.S. Department of Justice (April 11, 2025).

2: Id.

3: “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons”, 90 Fed. Reg. 1636, 1708 (January 8, 2025).

4: Id. at 1730.

5: Id. at 1728.

6: “The Committee on Foreign Investment in the United States (“CFIUS”)”, U.S. Department of the Treasury.

7: “Justice Department Issues Final Rule Addressing Threat Posed by Foreign Adversaries’ Access to Americans’ Sensitive Personal Data”, U.S. Department of Justice (December 27, 2024).

8: Id. at 1729.

Related Insights

Published

juillet 22, 2025

temp Key Contacts

Elizabeth Kwok

Managing Director

Sara Murray

Managing Director

Most Popular Insights

  1. What Directors Think Report
  2. The Long Game on Tariffs
  3. U.S. Renewable Energy M&A: Review of 2024 and Outlook for 2025
  4. Healthcare M&A for 2025: Key Trends and Strategic Considerations
  5. AI Investment Landscape in 2025: Opportunities in a Volatile Market

Sign up to get access to FTI Consulting Insights

Subscribe