The DOJ Sensitive Data Rule: A Race to Compliance Maturity

• On October 6, 2025, the final provisions of the DOJ Sensitive Data Rule took effect, completing the framework for the DOJ’s Data Security Program. 

  
  

• Institutions engaging in relevant data-sharing activities should move quickly to ensure compliance. 

On October 6, 2025, the last provisions of 28 C.F.R. Part 202, “Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (“DOJ Rule”) took effect, completing the regulatory foundation of the Department of Justice’s (“DOJ”) Data Security Program (“DSP”).  The DOJ Rule now prohibits or restricts U.S. persons, including U.S. institutions of higher education (“IHEs”), from allowing access to certain types of U.S. bulk sensitive personal data or government-related data (“Covered Data”) to individuals or entities associated with six countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, or Venezuela.  Previously, we described the provisions of the DOJ Rule in our March 13, 2025 Article and provided an overview of the DOJ’s initial guidance in our April 29, 2025 Article. 

Early guidance and administrative actions make it clear that the Government will expect IHEs to exercise broad diligence related to transactions involving Covered Data on a par with its expectations in other areas of national security compliance.  Institutions should, accordingly, move quickly to ensure compliance with the DOJ Rule’s provisions. 

A Race to Compliance Maturity: Key Regulatory Drivers

The DSP expects that IHEs should have (1) a thorough understanding of the kinds of data they possess and (2) careful documentation of the terms by which others may access that data.  The sense of urgency around meeting these expectations is nowhere more evident than in the DOJ Rule compliance certification requests that research institutions who share potentially Covered Data are beginning to send to the IHEs that receive that data.  The following are the key regulatory obligations driving these requests. 

Reporting Related to Prohibited Transactions.  The DOJ Rule now expects IHEs to be able to report certain violations related to prohibited transactions within 14 days. 

• Rejected Prohibited Transactions.  Section 202.1104 requires IHEs that, on or after October 6, 2025, receive and affirmatively reject an offer of a prohibited transaction must report the offer and the details of the rejection within 14 days of the IHE rejecting the offer. 

  
  

• Violations of Contractually Prohibited Onward Transfers.  Section 202.302 requires IHEs to report known or suspected violations of contractually prohibited onward transfers of Covered Data within 14 days of the IHE’s becoming aware of the known or suspected violation.

As a reminder, the DOJ Rule prohibits three kinds of transactions involving Covered Data: (1) data brokerage transactions with a country of concern or covered person; (2) data brokerage transactions with a foreign person, unless that foreign person is contractually prohibited from engaging in onward transfers of the Covered Data to a country of concern; and (3) vendor agreement, employment agreement, or investment agreement transactions involving human ‘omic data (including human genomic data) or human biospecimens from which human ‘omic data may be derived, unless a specifically enumerated exemption applies. 

Audits and Reports of Restricted Transactions.  IHEs engaging in vendor agreements, employment agreements, or investment agreements that would allow access to Covered Data by countries of concern or covered persons (“Restricted Transactions”) will soon need to audit and in some cases report those Restricted Transactions that took place between October 6, 2025, when the provisions took effect, and December 31, 2025. 

• Audited Data Compliance Programs.  Section 202.1002 provides that any IHE that engages in any Restricted Transaction must conduct annual audits of (i) those transactions from the previous calendar year, (ii) the implementation of  CISA Security Requirements, and (iii) its data compliance program.  

  
  

• Annual Reports for Certain Restricted Transactions Involving Cloud-Computing.  Section 202.1103 provides that any U.S. person that engages in a Restricted Transaction involving cloud-computing and that has 25% or more of its equity interest owned directly or indirectly by a country of concern or covered person must file a report annually with the DOJ regarding those Restricted Transactions.  If applicable, the reports are due by March 1 for Restricted Transactions during the previous calendar year. 

General Recordkeeping and Reporting. The DOJ Rule also expects a high level of diligence in general recordkeeping.

• Records and Recordkeeping.  Section 202.1101 requires IHEs that engage in any transaction subject to the DOJ Rule to keep “a full and accurate record of each such transaction engaged in, and such record shall be available for examination for at least 10 years after the date of such transaction.”

  
  

• Reports to Be Furnished on Demand.  Section 202.1102 provides the DOJ with broad authority to request reports and information, as well as extensive investigative powers, related to any act or transaction subject to the rule. 

Enforcement Outlook: Guidance and Agency Signaling

Though we have not yet seen any public enforcement actions under the DSP, guidance and related agency actions signal that the protection of Covered Data will be a significant national security priority. 

Guidance.  The guidance to date suggests that enforcement will encompass a wide range of national security concerns and will involve agencies beyond the DOJ National Security Division.

• DOJ National Security Division Website.  On its webpage for the Data Security Program, the DOJ cites that “the Data Security Program establishes what are effectively export controls that prohibit or restrict countries of concern (and covered persons subject to their jurisdiction, ownership, control, or direction) from engaging in certain categories of transactions with U.S. persons.”  It includes among the threats associated with such commercial transactions that foreign adversaries could use Covered Data “to commit espionage and economic espionage, conduct surveillance and counterintelligence activities, develop AI and military capabilities, and otherwise undermine U.S. national security.”

  
  

• Joint Guidance on Safeguarding Academia.  On August 25, 2025, the Office of the Director National Intelligence (ODNI), in partnership with multiple agencies including the DOJ, NSF, NIST, and the Department of Education, released a guidance document entitled “Safeguarding Academia” outlining multiple enforcement priorities related to research security.  In a survey of potential targets of malign foreign actions, the agencies include alongside such familiar targets as research and technical information, intellectual property, and technical expertise also “student, employee, customer, or U.S. person data,” signaling that the Data Security Program may soon stand on a par with other traditional enforcement priorities related to malign foreign influence as export controls, research security, and Section 117 foreign gift reporting.

• Whistleblower Incentives.  On September 24, 2025, the DOJ quietly updated its DSP Frequently Asked Questionsdocument to provide more details about how individuals in the U.S. or abroad may report possible violations of the DSP and potentially become eligible for a reward.  The FAQ document directs reports to the whistleblower program at Financial Crimes Enforcement Network (FinCEN) in the Department of Treasury. 

Relevant Agency Actions.  Though the DOJ Rule affords broad deference to other administrative agencies, including through exemptions for transactions “to the extent that they are for the conduct of the official business of the United States Government by its employees, grantees, or contractors,” early indications are that other agencies also share national security concerns related to U.S. sensitive data. 

• FDA and NIH Initiatives.  Both the FDA and NIH have taken steps to review access to certain biospecimens by countries on concern.  On June 18, 2025, the FDA announced in a Press Release that it would review certain “new clinical trials that involve sending American citizens’ living cells to China and other hostile countries.”  Similarly, on September 24, 2025, NIH announced a new “NIH Biospecimens Security Policy” that would apply to “all human clinical and research biospecimens obtained from U.S. persons (regardless of identifiability) that are collected, obtained, stored, used, or distributed and that are supported or funded by any on-going or new NIH funding mechanisms (grants, cooperative agreements, contracts, Other Transactions, and intramural support) regardless of NIH funding level.” 

• DOJ and CFIUS Notice in the 23andMe Bankruptcy.  On April 17, 2025, the United States filed a notice regarding potential national security concerns with the court overseeing the bankruptcy of once popular genetic testing company 23andMe.  The filing noted not only that settlement-related transactions may be subject to review by the Committee on Foreign Investment in the United States (“CFIUS”), but also that they “may be prohibited or restricted by the Data Security Program administered by the Department of Justice.” 

Actions IHEs Should Be Taking Now

With the DOJ Rule fully in effect and IHEs racing to build the documentation of their compliance, there are several key actions that all IHEs should undertake now. 

• Identify and route certification requests to OGC to ensure that all such requests are reviewed by counsel. 

  
  

• Develop risk-based approaches to identifying restricted or prohibited transactions and procedures either to end those data-sharing activities or put in place appropriate compliance measures.

  
  

• Implement measures for ongoing compliance, including (1) contractual provisions to ensure that the parties to data-sharing transactions comply with the DOJ Rule and (2) training and procedures for stakeholders to understand their obligations, as well as when and how to address offers of prohibited transactions or other suspected violations.