In the following guest post, Sarah Abrams, Head of Claims Baleen Specialty, a division of Bowhead Specialty, takes a look at recent changes in the DOJ’s Data Security Program (DSP) and discusses the D&O liability and insurance implications. I would like to thank Sarah for allowing me to publish her article as guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Sarah’s article.

******************

On April 11, 2025, the U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”)  put a 90-day pause on enforcement of its program aimed at protecting Americans’ sensitive personal data and certain U.S. Government-related data from foreign adversaries.  The DSP implements former President Biden’s Executive Order 14117 (EO 14117) on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”  The current administration has left the DSP in force, and as of July 8, the majority of DSP regulations are now in effect and will be enforced. 

Because the civil and criminal penalties associated with noncompliance can be significant, D&O underwriters may want to understand the DSP and which Insureds have taken steps to be compliant.  The following discusses what the DSP is, what actions will be required by companies to comply, and penalties for non-compliance, as well as resulting exposure to D&O carriers. 

On February 28, 2024, President Biden, acting under the International Emergency Economic Powers Act (IEEPA), which D&O Diary readers may recall vests the President with authority to deal with extraordinary threats to national security and foreign policy that have their source in whole or in part outside the United States, issued EO 14117.  EO 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” empowers the DOJ’s National Security Division (NSD) DSP to initiate civil enforcement actions and criminal prosecutions against U.S.-based entities that fail to safeguard sensitive data. 

On January 8, 2025, the Department’s National Security Division (“NSD”) published its final rule implementing EO 14117, codified as 28 CFR Part 202, and referred to as Data Security Program “DSP.”  Specifically, the DSP prohibits or restricts “covered data transactions,” i.e., any transaction that involves any access by a country of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela). The DSP further restricts covered persons, including foreign employees or contractors of countries of concern or entities that are covered persons and foreign individuals primarily resident in countries of concern from having access to any bulk U.S. sensitive personal data or government-related data (as defined in the regulations) and which may involve data brokerage; a vendor agreement; an employment agreement; or an investment agreement. 

Common types of data subject to the DSP regulation include health and biometric data, human genomic data, financial data, personal health data, government identification numbers (such as Social Security numbers), demographic and contact information, and network, device, and advertising identifiers.  While compliance with the DSP was temporarily paused until July 8, 2025, to allow industries time to adjust, that grace period has expired, with full enforcement of DSP regulations anticipated, except for due diligence, audit, and transaction reporting requirements.  Another deadline of October 6, 2025, has been set for the audit and transaction reporting requirements, and also for companies to establish a data compliance program if participating in restricted transactions. 

The DSP core requirements include identifying, prioritizing, and documenting assets, designating a compliance officer, developing incident response plans, and implementing access controls.  As previously mentioned, the DSP also requires annual audits, reporting, and keeping of detailed records of identified transactions for at least 10 years. In addition, the DSP requires every person to furnish under oath, as may be required by the DOJ, “complete information relative to any act or covered data transaction”.  The implementation requirements to comply, including infrastructure and personnel upgrades, may be significant, but the penalty for noncompliance is severe.

As readers of the D&O Diary may recall, the FBI issued multiple alerts earlier this year that North Korean hackers had infiltrated US companies by posing as IT workers, and government scrutiny over corporate cybersecurity has only intensified.  Because the DSP is enforced by the DOJ’s NSD, the DOJ may leverage administrative, civil, and criminal enforcement actions.  Thus, there is the potential for noncompliant companies to receive inquiries, subpoenas, and lawsuit filings, and D&O carriers may face exposure from multiple sources.  

First, while civil penalties are often excluded under a D&O policy, it is important to appreciate the potential cost of noncompliance. Possible civil fines under the IEEPA include $356,579 per violation or twice the value of each violative transaction, and prospective additional monetary penalties may apply under related statutes such as export-control rules from the Bulk Data Rule. Also uncovered, criminal penalties under the IIEEPA include up to 20 years in prison and $1 million per violation.  It is important to note, however, that expenses incurred while defending DOJ enforcement actions may be covered, and potentially significant, particularly with data discovery a factor. 

In addition, punitive injunctive relief sought by the DOJ may include disqualifying non-compliant companies from federal contracts, referring DSP cases to the Committee on Foreign Investment in the United States (CFIUS) for national security review, encouraging additional SEC cybersecurity disclosure reviews, and recommending individual prosecutions of responsible executives. Disqualification from federal contracts may be a significant peril for some businesses. Particularly, if the business is a publicly traded defense contractor, the loss of the federal government partnership may negatively impact the company’s share price and result in shareholder suits.  In addition, the prosecution by the DOJ of “responsible” executives who have failed to ensure DSP compliance may trigger Side A of the company’s D&O policy, with expenses incurred up to final adjudication.

Furthermore, as D&O Diary readers are aware, SEC cybersecurity disclosure deficits may result in litigation similar to that faced by SolarWinds and its chief information security officer (CISO).  By way of background, the SEC filed a lawsuit against SolarWinds claiming that the software company misled investors by downplaying known vulnerabilities in its information technology systems, including in a “Security Statement” published on its website. The SEC claimed that SolarWinds and its CISO were aware of the flaws in the SolarWinds software, including issues with access control and password protection practices, but failed to disclose them to investors.  The SEC also claimed that SolarWinds misled the investing public by minimizing the scope and severity of the Sunburst cybersecurity attack, including by omitting that customers had previously reported similar malicious activity.  On July 2, 2025, the U.S. Securities and Exchange Commission (SEC) reached a preliminary settlement with SolarWinds. 

While not stemming from noncompliance with DSP, the SolarWinds litigation may foreshadow claims against companies and executive leadership if false public disclosures regarding compliance are uncovered. Importantly, the DSP’s reporting and audit requirements beginning October 6, 2025, require companies to confirm compliance with oversight from Boards, audit committees, and CEOs. If companies affirm compliance while knowing they lack proper data mappings, risk reviews, or contractual safeguards, those public statements may be actionable under securities laws. Thus, D&O underwriters may want to consider reviewing insured actions and statements regarding compliance with the DSP before the DOJ does. 

The views expressed on this article are exclusively those of the author, and all of the content in this article has been created solely in the author’s individual capacity. This article is not affiliated with her company, colleagues, or clients. The information contained in this site article is provided for informational purposes only, and should not be construed as legal advice on any subject matter.