On April 8, 2025, a final rule from the Department of Justice (DOJ) went into effect on Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries of Concern or Covered Persons (28 CFR Part 202).

While this rule applies broadly, this article is designed to give you an understanding of the terms (through explanation and examples) as well as a summary of the requirements as they relate to financial institutions.

Background

On February 28, 2024, Executive Order 14117 was published. The order directed the DOJ to develop regulations to secure Americans' sensitive personal data so that it cannot be used for malicious reasons, such as cyber-attacks, fraud, intimidation, blackmail, espionage, terrorism, and so on.

The DOJ quickly got to work, publishing the proposed rule on October 29, 2024 and the final rule on January 8, 2025. On these same dates, CISA proposed and finalized relevant Security Requirements for Restricted Transactions, which will come into play later.

When asked about the possibility of extending the comment period, the DOJ said:

"Extending the comment period would allow this increasingly urgent, unaddressed threat to continue unabated, giving countries of concern more time and opportunities to collect and exploit government-related data and bulk U.S. sensitive personal data. Delay only increases this unusual and extraordinary threat."

What this means: Time is of the essence and prompt compliance is going to be especially critical.

Rule Overview

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons. Each of those words has a special (and legal) meaning, so let's break it down a bit.

Covered Data Transaction

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

According to the preamble:

"The sale of data is only one means by which countries of concern are seeking access to government-related data and bulk U.S. sensitive personal data. Countries of concern also leverage vendor, employment, and investment agreements as additional vectors to try to obtain that access."

Because of this, the term covered data transaction is defined as "any transaction that involves any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data" in one of the following ways:

  1. Data brokerage. Any arrangement where someone sells data, licenses access to data, or performs similar commercial transactions with someone who didn't collect the data directly from the person it's about. This rule applies to both first-party and third-party data brokerage.

  2. Vendor agreement. Any arrangement where someone provides goods or services (including cloud services) in return for payment or other compensation.

  3. Employment agreement. Any arrangement where a person works directly for someone else in exchange for pay. This includes roles on boards, executive positions, and operational jobs.

  4. Investment agreement. Any arrangement where someone pays to gain ownership (directly or indirectly) in U.S. real estate or a U.S. company. (There is an exception for "passive investments.")

What This Means: Certain international data transactions are now prohibited (via data brokerage) or restricted (via vendor, employment, or investment agreements).

Government-Related Data

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

Government-related data includes:

  • Precise geolocation data from any area identified on the Government-Related Location Data List (e.g., military bases, intelligence agency facilities, national security worksites, federal law enforcement field offices, etc.).
  • Sensitive personal data that is linked or linkable to current or former U.S. government employees, contractors, or senior officials, regardless of the amount of data.

What This Means: Geolocation data and sensitive personal data related to the U.S. government are a protected class of information under this rule.

Sensitive Personal Data

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

Financial institutions are pretty used to protecting sensitive personal data already (see the Gramm-Leach-Bliley Act (GLBA)). However, the DOJ's new definitions significantly broaden what needs to be protected in the context of these covered data transactions.

While other categories may apply, there are two categories (out of six) in the definition of sensitive personal data that are particularly relevant to financial institutions: Covered Personal Identifiers and Personal Financial Data.

Covered Personal Identifiers

The term covered personal identifiers means any listed identifier in combination with any other listed identifier – or – in combination with other data provided that links the transaction to other listed identifiers or other sensitive personal data, except for a couple limited exclusions.

Listed identifiers include:

Category

Examples

Full or truncated government identification or account number
  • Social security number
  • Driver's license number
  • State identification number
  • Passport number
  • Alien registration number

Full financial account numbers or personal identification numbers associated with a financial institution or financial-services company

The rule did not provide examples for this category. However, some examples may include:

  • Checking account numbers
  • Savings account numbers
  • Mortgage lending account numbers
  • Auto loan account numbers
  • Payment app account numbers
  • Personal identification numbers (PIN)

Device-based or hardware-based identifier
  • International Mobile Equipment Identity (IMEI)
  • Media Access Control (MAC) address
  • Subscriber Identity Module (SIM) card number

Demographic or contact data
  • First and last name
  • Birth date
  • Birthplace
  • ZIP code
  • Residential street or postal address
  • Phone number
  • Email address
  • Similar public account identifiers

Advertising identifier
  • Google Advertising ID
  • Apple ID for Advertisers
  • Other mobile advertising ID (MAID)

Account-authentication data
  • Account username
  • Account password
  • Answer to security questions

Network-based identifier
  • Internet Protocol (IP) address
  • Cookie data

Call-detail data
  • Customer Proprietary Network Information (CPNI)

 

What This Means: In the context of a covered data transaction, more personal data needs to be protected. This definition significantly broadens what financial institutions have historically considered nonpublic personal information (NPI) under GLBA.

Personal Financial Data

The term personal financial data means:

"Data about an individual's credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a "consumer report" (as defined in 15 U.S.C. 1681a(d))."

There are some exemptions for financial services, if the data transaction is "ordinarily incident to and part of the provision of financial services." This includes things like traditional financial services (e.g., banking, underwriting, etc.), everyday commercial transactions, payment processing, funds transfer, investment management, and other related services.

What This Means: While the definition of personal financial data is broad, certain uses tied to routine financial services are exempt.

Bulk

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

The term "bulk" means different things in different contexts. To paraphrase though, "bulk" data includes:

  • Covered personal identifiers on more than 100,000 U.S. individuals.
  • Personal financial information on more than 10,000 U.S. individuals.

This applies to data collected or maintained over a 12-month period, even if the data is spread across multiple transactions with the same foreign party.

Also, if you combine different types of sensitive personal data or link any listed identifier to sensitive personal data, and any one type meets its individual threshold, then the entire set is considered bulk using the lowest threshold involved.

What This Means: Not all transactions involving U.S. sensitive personal data are prohibited. Only the bulk ones are, unless the data is government-related.

Countries of Concern

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

The term country of concern means any foreign government that the U.S. Attorney General, Secretary of State, and Secretary of Commerce determine has repeatedly acted against U.S. national security or the safety of its people – and – poses a serious risk of misusing sensitive U.S. personal or government data in harmful ways.

What This Means: As of the rule's effective date, there are six countries identified as countries of concern: China, Cuba, Iran, North Korea, Russia, and Venezuela.

Covered Persons

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

The rule uses the word "person" a lot, but it doesn't always mean an individual. Sometimes, it means entities (e.g., businesses, companies, organizations, etc.). Specifically, the term covered person includes foreign individuals or entities that meet any of the following criteria:

  1. Organizations that are 50% or more owned by or based in a country of concern.
  2. Organizations that are 50% or more owned by other covered persons.
  3. People who work for or live in a country of concern or for a covered person.
  4. Anyone else the Attorney General believes is controlled by, acting for, or likely to help a country of concern violate the rule.

What This Means: A covered person is anyone (individuals or organizations) connected to a country of concern through ownership, location, employment, or other actions that may help a country of concern violate the rule.

Restricted Transactions

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

A restricted transaction means that (except for the exemptions) no U.S. person "may knowingly engage in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless the U.S. person complies" with the CISA Security Requirements for Restricted Transactions.

The CISA requirements impose several obligations that organizations must follow, including:

  • Organizational-level requirements (e.g., governance, personnel security, etc.)
  • System-level requirements (e.g., access controls, monitoring and logging, etc.)
  • Data-level requirements (e.g., data minimization, data masking, encryption, etc.)

What This Means: One intent of the rule is to allow businesses to continue their vendor, employment, and investment relationships, but strike a balance with security.

Not sure where to start? Conduct a cybersecurity self-assessment on the CISA Security Requirements framework in the Tandem Cybersecurity Assessment product. Sign up for free and get started today.

Prohibited Transactions

This rule restricts or prohibits covered data transactions which would allow access to government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons.

A prohibited transaction means that (except for the exemptions) no U.S. person "may knowingly engage in a covered data transaction involving data brokerage with a country of concern or covered person."

This includes making sure your data-sharing agreements prohibit the onward transfer of covered data to countries of concern or covered persons. If the contract is violated, this must be reported to the Department of Justice within 14 days of "becoming aware" of the violation.

There are a few other categories of prohibited transactions, but some of these should really go without saying (e.g., no evasion allowed, no directing prohibited deals, etc.).

What This Means: Selling, licensing, or otherwise engaging in commercial data brokerage activities for covered data with countries of concern or covered persons is now illegal.

Compliance Requirements

To prove your compliance, the final rule has due diligence, audit, recordkeeping, and reporting requirements. Below we cover what to expect for each of these four compliance areas.

Due Diligence Requirements

If you engage in restricted transactions, you are required to develop and implement a data compliance program by October 6, 2025. At minimum, the program must include the following.

Requirement

Explanation

Risk-Based Procedures for Restricted Transactions

You must have procedures in place to verify and log:

  • The types and volumes of covered data involved.
  • The involved parties (including ownership, citizenship, or primary residence).
  • The end-use of the data.
  • The method of data transfer.

Vendor Verification

You must have procedures in place to verify vendor identities, if vendors are involved.

Documented Compliance Policy

You must have a written compliance policy. The policy must be reviewed and certified annually by someone responsible for compliance.

Documented Security Policy

You must have a written security policy that explains how you meet the CISA Security Requirements. The policy must be reviewed and certified annually by someone responsible for compliance.

Additional Information

You must be ready to provide any other information to the U.S. Attorney General upon request.

 

For more information, check out our blog on Building a Data Compliance Program for the DOJ's New Security Rule with Tandem.

Audit Requirements

If you engage in restricted transactions on or after October 6, 2025, the audit requirements require you to have an annual independent audit by a qualified auditor. The audit must be conducted using a reliable methodology and the scope must include an examination of:

  • The restricted transactions.
  • The data compliance program.
  • Relevant records (e.g., transaction records, policies, audit results, due diligence, etc.).
  • The implementation and effectiveness of the CISA Security Requirements for Restricted Transactions.

The audit report must be delivered to the bank within 60 days of the audit's completion, and it (along with any relevant records) must be retained for 10 years.

Recordkeeping Requirements

If you engage in any data transaction governed by this rule, you must keep full and accurate records of the transaction for at least 10 years and make sure the records are available for examination upon request.

In addition to the due diligence and audit requirements mentioned above, you must also be prepared to present transaction details, including:

  • The method of data transfer.
  • Start and end dates.
  • Copies of agreements.
  • Licenses or advisory opinions.
  • Reference numbers for any official documents from the DOJ.
  • Copies of any other relevant documentation related to the transaction.

Reporting Requirements

If you engage in any data transaction governed by this rule, there are several types of reports which may be required.

Requirement

Explanation

General Reports

At any time, you may be requested to provide complete reports on any transaction governed by the rule.

Annual Reports

If you engage in a restricted transaction involving cloud computing – and – your organization has more than 25% ownership by a country of concern or covered person, you must submit an annual report by March 1 of the following year.

Reports on Prohibited Transactions

If you receive and reject an offer from another person to engage in a prohibited transaction, you must submit a report within 14 days of the rejection.

Reporting Known or Suspected Violations

If you know or suspect a prohibited transaction may have occurred, you must file a report within 14 days of becoming aware of the violation.

 

Reports must follow the rule's instructions and any guidelines posted on the DOJ National Security Division (NSD) website, such as those in the Compliance Guide or FAQ. Reports must be submitted electronically via email ([email protected]) or other method approved by NSD (e.g., online portal).

Next Steps

This is a significant rule and prompt compliance is expected. As such, if you think you may be participating in covered data transactions, it is important for you to consult with legal counsel to ensure that you are taking necessary steps to comply with the rule.

If you are looking for help in documenting and demonstrating compliance, check out Tandem, a governance, risk management, and compliance (GRC) application. Our suite of products is ready to help you manage your information security program. Solutions we have that are particularly well suited to help you manage this new rule include:

  • Cybersecurity Assessment: Conduct and document your CISA Security Requirements self-assessment.
  • Vendor Management: Track your vendors, due diligence, contracts, and more.
  • Policies: Demonstrate your compliance with policy templates for Data Management, Information Sharing, Personnel Security, and Vendor Management.
  • Risk Assessment: Track your data types and information asset inventory.
  • Audit Management: Document your findings and response process.

Check out these products and learn more about how Tandem can help you at Tandem.App.