National Security & Data Privacy: Complying with the Bulk Data Rule and the New Data Security Program

To register for the upcoming live webinar, please check back later.

In an era of heightening geopolitical tension, the protection of sensitive personal data has moved from a privacy concern to a national security mandate. Following Executive Order 14117, the Department of Justice has implemented the Data Security Program (28 CFR Part 202)—commonly known as the Bulk Data Rule. This regulation marks a paradigm shift, treating bulk data transfers to "countries of concern" (such as China and Russia) with the same rigor as export-controlled defense technology. As of late 2025 and early 2026, enforcement is in full effect, and the grace periods for compliance have ended.

This program provides attorneys with a vital roadmap for navigating these complex new regulations. We will examine the categories of "sensitive personal data" and their specific bulk thresholds, distinguish between prohibited and restricted transactions, and discuss the severe civil and criminal penalties for non-compliance. Additionally, we will look at how this federal rule intersects with expanding state-level privacy statutes to ensure a comprehensive compliance posture for your clients. 

Learning Objectives

By the end of this session, participants will be able to:

• Define the Regulatory Scope of EO 14117: Explain the origins and national security intent of the Data Security Program and its application to "U.S. Persons" and "Countries of Concern."
• Identify Data Types and Bulk Thresholds: Categorize sensitive data—including genomic, biometric, health, and financial data—and apply the specific numeric thresholds that trigger federal oversight.
• Distinguish Between Prohibited and Restricted Transactions: Evaluate business activities (such as data brokerage vs. vendor/employment agreements) to determine if they are banned outright or permitted only with CISA-mandated security controls.
• Formulate a Compliance and Enforcement Strategy: Assess the risk of significant IEEPA-based penalties and implement best practices for "knowing your data," conducting annual audits, and meeting mandatory DOJ reporting requirements.
• Analyze Intersecting State Statutes: Compare the federal Bulk Data Rule with new 2026 state privacy developments (e.g., in Indiana, Kentucky, and Rhode Island) to manage overlapping regulatory burdens.

To register for the upcoming live webinar, please check back later.