On July 9, 2025, the Department of Justice (“DOJ”) commenced enforcement of its new Data Security Program (“DSP”) to prevent foreign adversaries from accessing sensitive U.S. data. Created earlier this year, the program seeks to prevent China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela (collectively, the “Countries of Concern”), as well as foreign entities or individuals with significant ties to these nations, from gaining access to U.S. government-related data and certain categories of U.S. sensitive personal data. Importantly, the rules apply “regardless of whether the data is anonymized, pseudonymized, de-identified or encrypted.” According to the DOJ, the threat of foreign adversaries collecting and weaponizing U.S. data had become “increasingly urgent, and ensuring prompt compliance with the DSP’s requirements is critical to addressing the administration’s priorities and stopping the flow of U.S. sensitive personal data and government-related data to countries of concern.” The seriousness of any infraction is reflected in the program’s steep civil and criminal penalties. Violators of the DSP could be subject to fines up to $368,136 per violation, or twice the value of each transaction in violation, whichever is greater. Willful violators could face imprisonment of up to 20 years and a $1 million fine.