The Department of Justice’s Data Security Program (DSP), which was introduced earlier this year, provides a brief period of leeway for organizations striving to adhere to new data security measures. This grace period, however, is limited, as full compliance is expected by July 8. Legal practitioners and compliance officers within corporations must leverage this window to ensure their organizations meet the regulations set forth by the DOJ.
The DSP is a sweeping regulatory initiative requiring U.S. companies to protect sensitive data from being accessed by entities in specific countries of concern, notably China. It additionally targets covered persons, which include foreign companies owned or controlled by entities in these countries. The broad definition of key terms further illustrates the extensive reach of the DSP.
Implications for U.S. Companies
Even U.S. organizations with no direct ties to countries of concern could fall under the DSP’s purview. For instance, companies involved in data brokerage transactions must ensure that onward transfers of data are contractually prohibited. The definitions laid out by the DSP are notably broader than those in existing privacy frameworks, leading to significant interpretive challenges for legal professionals.
Company executives, including CEOs and boards, bear responsibility for ensuring compliance. Compliance with the DSP must be integrated into the enterprise risk management framework, with leadership responsible for reviewing annual audit reports. Furthermore, certain exemptions from the DSP could impose additional compliance burdens.
Comprehensive Data Oversight Required
Accurate knowledge of data types, storage, and usage is vital. Companies must implement comprehensive data compliance programs, enhancing traditional data mapping approaches. Similarly, understanding vendor ownership and geographic location is crucial, particularly for entities engaged in data brokerage, where the onward transfer of data to covered persons must be explicitly prohibited.
While the DSP incorporates elements of NIST’s cybersecurity framework, its requirements often surpass industry standards, necessitating the evaluation of existing controls and potential additional measures. The regulatory environment mandates a proactive and comprehensive approach to compliance, likely engaging legal teams in ongoing risk assessments and the establishment of robust internal controls.
According to Morrison Foerster attorneys, adept navigation of these complex requirements is crucial as companies prepare for potential regulatory scrutiny. The full article detailing their insights is available at Bloomberg Law for a more detailed discussion on these emerging obligations.