Upcoming Webinar | AI Meets ISO: What Makes ISO 42001 Different from ISO 27001 & 27701 on August 14th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Why Data Protection Is Now a National Security Matter: Understanding the Bulk Data Rule Blog Feature
Andrew Daniel

By: Andrew Daniel

Print/Save as PDF

Why Data Protection Is Now a National Security Matter: Understanding the Bulk Data Rule

Compliance and Certification | Federal Assessments | Audit Readiness

Published: Jul 22, 2025

The National Security Division (NSD) of the U.S. Department of Justice (DOJ) issued a Final Rule announcing a new Data Security Program (DSP) under Executive Order 14117: Preventing Access To Americans' Bulk Sensitive Personal Data And United States Government-Related Data By Countries Of Concern. Focused on protecting “covered data” transactions, the goal of the DOJ’s Final Rule is clear—prevent access to U.S government-related data and Americans’ sensitive personal data from:  

  • Countries of concern, including China, Iran, North Korea, Russia, Venezuela, and Cuba 
  • Covered persons, including someone from, owned by, or located in a country of concern 

Exploitation of such data could threaten U.S. national security by leading to blackmail, coercion, espionage and economic espionage, and foreign malign influence. This is not just cybersecurity policy anymore; it is a national security policy. And for Schellman clients, especially those who handle large-scale personal data, this update deserves major attention.  

In the article, we’ll detail what “covered data” includes, bulk thresholds for U.S. sensitive personal data, key deadlines to be aware of, and actionable steps you can take today to prepare for the Data Security Program. 

What is “Covered Data”? 

The Final Rule targets two major categories of “Covered Data”: 

  1. Government-Related Data 
    Government-related data is precise geolocation data, such as military or intelligence sites. Even a single record of location data tied to sensitive facilities is prohibited. Another type of government-related data includes linked government personnel data. This refers to sensitive personal data marketed as connected to U.S. government employees, U.S. military personnel and Intelligence Community, or contractors—regardless of quantity. 
  2. Bulk U.S. Sensitive Personal Data 
    Bulk U.S. sensitive personal data is a collection or a set of sensitive personal data which relates to U.S. persons. The DSP has identified the following types of data as sensitive personal data: 
    • Human ‘omic data: Human ‘omic data includes human genomic, epigenomic, proteomic, and transcriptomic data, but excludes pathogen-specific data embedded in human ‘omic data sets. 
    • Biometric identifiers: Measurable physical characteristics or behaviors used to recognize or verify the identity of an individual such as fingerprints, facial images, iris and retina scans, palm prints, voice prints and patterns, gait, keyboard usage patterns, etc. 
    • Precise geolocation data: Real-time or historical data that identifies the physical location of an individual or a device within 1,000 meters. 
    • Personal health data: Health information that relates to an individual’s physical or mental health status, the healthcare they receive, or the payments made for their care—whether past, present, or future. 
    • Personal financial data: Data related to an individual’s payment methods, account activity, assets, debts, or credit history—including information from bank accounts, transactions, credit reports, or consumer reports. 
    • Covered personal identifiers: Specifically listed classes of personally identifiable data that can reasonably be linked to an individual. This data could be used to identify someone or link an individual across different data sets when combined with other sensitive data or with additional information disclosed by a transacting party pursuant. 

Bulk U.S. Sensitive Personal Data Thresholds 

Now that we have identified the sensitive personal data types, it is important to understand the bulk thresholds that are subject to the DOJ Final Rule. Bulk U.S. sensitive personal data refers to a collection or set of sensitive personal data relating to U.S. persons in any format. Even if the data is anonymized, pseudonymized, de-identified, and/or encrypted, the data must still adhere to the bulk thresholds as noted below: 

Data Type 

Bulk Threshold 

Human ‘omic data 

> 1,000 U.S. persons (or > 100 U.S. persons for genomic data) 

Biometric identifiers 

> 1,000 U.S. persons 

Precise geolocation data 

> 1,000 U.S. devices 

Personal health data 

> 10,000 U.S. persons 

Personal financial data 

> 10,000 U.S. persons 

Covered personal identifiers 

> 100,000 U.S. persons 

 In scenarios whereby multiple data types are combined, the lowest applicable threshold applies.  

Prohibited vs. Restricted Transactions 

Any transaction which includes U.S. government-related data is prohibited. Additionally, data brokerage transactions which include the sale, license, or transfer for value above the bulk thresholds of U.S. sensitive personal data are also prohibited and subject to civil penalties, fines, and/or imprisonment.  

Any covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a covered person or country of concern is considered a restricted transaction. Restricted transactions are permitted if the U.S. person complies with all applicable DSP requirements such as security requirements outlined in the Cybersecurity and Infrastructure Agency (CISA) Security Requirements for Restricted Transactions, all Data Compliance Program development and implementation requirements, audit requirements, as well as recordkeeping and reporting requirements.  

Data Security Program Key Deadlines 

This program is not theoretical; it is happening now. Although the rule went into effect April 8, 2025, the NSD did not take any enforcement actions until July 8, 2025. However, effective October 6, 2025, U.S. persons who are engaged in restricted transactions must develop and implement a data compliance program to comply with audit and reporting requirements.  

Why This Program Matters to You 

If your organization handles large amounts of government-related data, personal data, consumer information, health records, financial data, regulators may soon ask the following questions:  

  • Where is that data stored?  
  • Who are your vendors, and where are they located?  
  • Are there any sensitive personal data types over the bulk data thresholds? 
  • Are you ensuring that no foreign adversaries can access that data, either directly or through third parties?  

For some industries, this may eventually translate into mandatory certifications or audits, much like CMMC for defense contractors, FedRAMP for Cloud Service Providers, or ITAR compliance for aerospace and defense. Even if you are not in those sectors, similar enforcement patterns could apply to large consumer platforms, healthcare firms, financial services, and cloud providers.  

The DOJ published a Compliance Guide and FAQ to help you better understand the implications, including compliance program requirements, under the Data Security Program.  

Steps to Prepare for the Data Security Program 

To remain compliant, you can prepare for the Data Security Program today in the following ways: 

  • Map your data flows with a national security lens.  
  • Understand the volume and types of data that your organization possesses and are transacting. 
  • Review third-party risk management programs with a focus on foreign influence and access.  
  • Evaluate your security certifications. Consider if your ISO 27001, SOC 2, or HIPAA assessments cover this risk area fully?  
  • Ask about the next steps. Schellman can assess your exposure and help you get ahead of regulatory expectations.   

How Schellman Can Help 

At Schellman, our job is to help you stay ahead of compliance changes like this before they become formal requirements. If you’re unsure where to begin, contact us today to learn how we can support you and your compliance needs.  

About Andrew Daniel

Andrew Daniel is a Manager with Schellman based in Orlando, FL. Prior to joining Schellman in 2019, Andrew worked as a Cyber Risk Consultant specializing in the implementation of the Risk Management Framework (RMF) for Federal clients. As a Manager with Schellman, Andrew is focused primarily on FedRAMP audits for multiple organizations throughout various industries. Andrew's credentials include the CISSP and CISA.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.