The DOJ's Bulk Sensitive Data (BSD) Rule

The BSD Rule, issued by the U.S. Department of Justice (DOJ), is in effect. Here's what your organization needs to do now.

The BSD Transfer Rule took effect on April 8, 2025. Noncompliance could cost your company up to $1 million in fines and up to 20 years' imprisonment. Understand your obligations now.

Quick Reference Guide

The BSD Rule took effect on April 8, 2025. Your existing contracts are not grandfathered in.

This quick reference guide, prepared by Epstein Becker Green, covers data thresholds, all six countries of concern, prohibited vs. restricted transactions, 11 exemptions, and your first compliance steps. Free to download.

DOWNLOAD

New Federal Regulation Creates Immediate Compliance Obligations

If your organization shares data internationally—particularly with entities in China, Russia, Iran, Cuba, North Korea, or Venezuela—you're likely subject to the DOJ's new BSD Rule under Executive Order 14117.

This regulation has the force of law and imposes unprecedented restrictions on how U.S. organizations handle sensitive personal data in cross-border transactions. Unlike many regulations, existing agreements are not grandfathered—meaning contracts signed before April 8, 2025, must now comply.

KEY STATS
Effective Date: April 8, 2025
Maximum Civil Penalty: $368,136 or 2x transaction value
Criminal Penalties: Up to $1 million fine + up to 20 years' imprisonment
First Annual Reports Due: March 1, 2026
The BSD Rule applies to virtually any U.S. organization or person—regardless of size—that engages in covered transactions involving bulk sensitive data with "covered persons" or countries of concern.

Assess your risk with our BSD Compliance Flow Chart:

DOWNLOAD

Does the BSD Rule Apply to Your Organization?

Industries Most Impacted

  • Life sciences & health care
  • Pharmaceutical & biotech
  • Clinical research organizations
  • Medical device manufacturers
  • Technology & SaaS companies
  • Financial services & private equity
  • Manufacturing with global supply chains

Types of Covered Transactions

  • Data brokerage agreements
  • Employment agreements
  • Vendor agreements
  • Investment agreements
  • Any transaction providing countries of concern access to bulk U.S. sensitive data

What Qualifies as "Bulk" Data

  • 100 U.S. persons (genomic data)
  • 1,000 U.S. persons (biometric identifiers)
  • 10,000 U.S. persons (health/financial data)
  • 100,000 U.S. persons (personal identifiers)
  • Thresholds vary by data type

Speak with an Attorney Who Knows This Rule

Elena M. Quattrone

MEET ELENA

Elizabeth J. McEvoy

MEET ELIZABETH

Navigating BSD Requirements?

CONNECT WITH US

Navigate BSD Compliance with Clarity and Confidence

Our team has developed specific tools and advisory services to help organizations like yours understand their obligations under the BSD Rule, assess risk, and implement compliant data practices.

Know your exposure in minutes:

  • Whether the BSD Rule applies to your organization
  • If your transactions are prohibited or restricted
  • Which exemptions may apply to your situation
  • What compliance steps are required

Assess your risk with our BSD Compliance Flow Chart:

DOWNLOAD

5 Reasons Why Organizations Are Struggling with BSD Compliance

Unclear Applicability

Determining whether specific data transactions are "prohibited" or "restricted"

No Grandfathering

Reviewing and revising existing vendor, employment, and investment agreements to ensure compliance

Stringent Security Requirements

CISA-mandated cybersecurity controls for restricted transactions

Extensive Reporting

Annual reporting on transactions, declined offers, and suspected violations

Vendor Management Burden

Vetting and monitoring third-party compliance across international relationships

Your BSD Rule Questions Answered

What is the BSD Rule? (A brief explanation of Executive Order 14117 and the rule's purpose.)

ANSWER

What's the difference between prohibited and restricted transactions?

ANSWER

Are there any exemptions?

ANSWER

What are the penalties for noncompliance?

ANSWER

How do I know if my vendor relationships are compliant?

ANSWER

What is the DOJ Bulk Sensitive Data Transfer Rule?

Brief explanation of EO 14117 and the rule's purpose

When did this rule take effect?

April 8, 2025, with certain audit/reporting requirements effective October 6, 2025

What are "countries of concern"?

China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, Venezuela

Are existing contracts grandfathered in?

No. All agreements must comply regardless of when they were signed.

What's the difference between prohibited and restricted transactions?

Clear distinction with examples

What types of data are covered?

Government-related data and sensitive personal data (with categories)

Are there any exemptions?

Brief overview of the 11 exemptions with links to detailed sections

What are the penalties for non-compliance?

Civil and criminal penalty details

Does this apply to small companies?

Yes, there is no size or employee minimum

How do I know if my vendor relationships are compliant?

High-level guidance with CTA for consultation

Your Path to BSD Compliance

Step 1: Assess

Know Your Data: Identify what sensitive data you collect and whether it meets bulk thresholds.

Step 2: Evaluate

Know Your Vendors: Review third-party relationships and determine if they involve covered persons.

Step 3: Implement

Establish Compliance Programs: Create data security policies, audit procedures, and training protocols.

Step 4: Report

Maintain Records & File Annual Reports: Prepare for reporting obligations and maintain 10-year records.

Ready to get started?

CONNECT WITH OUR TEAM

Additional Resources

DOJ’s Final Rule on Bulk Data Transfers: A Road Map

A road map for restricting sensitive data transactions with countries of concern, the BSD Rule ensures U.S. national security.

READ MORE

DOJ’s Final Rule on Bulk Data Transfers: The First 180 Days

Federal agency actions and reactions have underscored the far-reaching effects of the BSD Rule.

READ MORE

DOJ’s Bulk Sensitive Data Rule and Your Obligation to “Know Your Data”

The instruction to “know your data” is one that even the DOJ has directed U.S. companies and persons to heed in light of the BSD Rule.

READ MORE

DOJ’s Bulk Sensitive Data Rule and Your Obligation to “Know Your Vendor”

This guide to navigating the DOJ’s BSD Rule offers insights to help stakeholders achieve compliance.

READ MORE

Our BSD Attorneys in the News

Elizabeth McEvoy Quoted in “DOJ Poised to Pounce on Data Security Violators”

READ MORE

PLACEHOLDER

READ MORE

PLACEHOLDER

READ MORE

PLACEHOLDER

READ MORE

Important Compliance Deadlines

Organizations subject to the BSD Rule face immediate compliance obligations. Reports are due by March 1 each year, with the first annual reporting deadline in March 2026—don't wait to assess your risk and implement necessary controls.

Timeline:

  • April 8, 2025: BSD Rule effective
  • October 6, 2025: Audit and reporting requirements effective
  • March 1, 2026: First annual reports due
  • Ongoing: Continuous compliance obligations
Animation unavailable...

First Annual Reports

Due March 1, 2026

Join Epstein Becker Green and BDO for an in-depth webinar exploring the complexities of the DOJ’s Bulk Sensitive Data Rule (BSD Rule) and the corresponding Data Security Program (DSP) from EO 14117 and their implications for organizations across all industries.

March 18, 2026

3:00 – 4:00 p.m. ET

REGISTER

Don't Navigate BSD Compliance Alone

The stakes are too high for guesswork. Our team is ready to help you understand your obligations, assess your current practices, and implement a compliant data transfer framework.

Keep in Touch

SUBSCRIBE

© 2026 Epstein Becker & Green, P.C. All rights reserved. Attorney advertising.

DISCLAIMER | PRIVACY POLICY | TERMS OF USE