The newly launched Data Security Program redefines data protection for affected organizations.
Key takeaways
The DSP aims to prevent adversaries from accessing sensitive U.S. personal or government data.
Proactive measures are necessary to manage risks and maintain compliance with DSP requirements.
The U.S. government recently launched the Data Security Program (DSP), a sweeping national security initiative that redefines data protection for affected organizations. Led by the Department of Justice (DOJ), this program reclassifies certain data practices as national security concerns, fundamentally changing how many businesses with global operations conduct in-scope sensitive data processes. Early awareness and proactive measures are critical to manage your risk and ensure operational continuity.
The DSP introduces export-style controls to prevent foreign adversaries from accessing bulk sensitive U.S. personal and government-related data. Organizations that manage in-scope sensitive data must now consider international data access through the lens of national security. The DSP has far-reaching implications for businesses with global operations and ties (e.g., through investments or third parties) to designated “countries of concern”: China (including Hong Kong and Macau), Venezuela, Cuba, Russia, North Korea and Iran.
Could your business be affected? If your organization handles sensitive U.S. data and works with international partners in the covered regions, the answer may be yes.
Are you in the crosshairs? Assess your exposure.
Ask yourself these key questions to determine your organization's potential obligations under the DSP:
- Data exposure: Does your organization handle bulk sensitive U.S. personal data or government-related data?
- International operations and/or partnerships: Do you have operations or employees in, and/or investment/business relationships with, entities in China (including Hong Kong and Macau), Venezuela, Cuba, Russia, North Korea or Iran?
- Data access: Do you share data with any of these covered foreign entities, which could subject you to DSP restrictions?
If you answered "yes" or "maybe" to any of these questions, it is crucial to seek experienced guidance to understand your specific obligations and prepare for potential requirements under the DSP.
Impact of noncompliance
Violations of the DSP may result in civil and criminal penalties, which can be substantial.
- Maximum civil penalties are not to exceed the greater of $368,136 or twice the value of the transaction that is the basis of the violation.
- Upon conviction, an individual may also be fined up to $1 million and/or imprisoned for up to 20 years.
Navigating the DSP
Organizations should implement a comprehensive program that encompasses the complexities of the DSP, leveraging experienced external support where necessary. For example, RSM’s DSP compliance approach consists of three key phases:
Assess
- Determination of the data landscape and regulated-data exposure: Identify your data types, volumes, storage and flow. Determine whether your organization holds U.S. government-related data or meets DSP thresholds for bulk sensitive personal data.
- Counterparty risk and due diligence evaluation: Scrutinize business relationships for potential links to designated countries of concern or entities/individuals that might qualify as "covered persons." Enhance due diligence procedures, including beneficial-ownership checks.
- Transaction classification: Classify your data transactions to assess whether they are prohibited, restricted or exempt. Our analysis covers the nature of the transaction, the type of data involved and the counterparty’s status.
Respond
- Compliance with CISA security controls: Develop and implement a risk-based data compliance program that meets the requirements of the Cybersecurity and Infrastructure Security Agency and prepare for mandatory annual independent audits.
- Custom DSP compliance programs: Establish contract review and amendment recommendations for new and existing data brokerage and vendor agreements.
- Training and awareness programs: Educate all relevant personnel—including those in legal, compliance, information technology, cybersecurity, procurement, human resources, sales and business development—on the requirements of the DSP and their roles in ensuring compliance.
Manage
- Skilled interpretation and application of DSP requirements: The DSP is a complex regulatory regime with significant national security implications. RSM advisors have deep experience in national security regulations, data privacy and international trade to help interpret and apply the DSP to your organization’s specific circumstances.
- National Security Division (NSD) updates: Provide updates about new guidance from the NSD and its responses to frequently asked questions; issuance of general licenses; and additions to its Covered Persons List.
- Program management: Monitor compliance program performance and capture evidence to prepare for annual audits.
The takeaway
The DSP is a complex regulatory program with potentially significant impacts on in-scope organizations. Proactive engagement is essential for managing risk and ensuring your business is not caught unprepared.
Don't wait for the deadlines to approach. Contact our advisors to help you confidently navigate the complexities and challenges related to the DSP.
RSM contributors
-
Robert SnodgrassPrincipal, Risk Consulting
Contact our risk professionals
Complete this form and an RSM representative will be in touch shortly
