The DOJ’s Bulk Sensitive Data Rule and Your Obligation to “Know Your Reporting Requirements”

This blog post is the latest installment in a series focused on the DOJ’s Bulk Sensitive Data (“BSD”) Rule and intended to help stakeholders navigate the rule’s complex requirements and achieve full compliance.

Epstein Becker & Green (“EBG”) has previously advised U.S. organizations that share data in bulk or otherwise grant access to U.S. sensitive data to countries of concern or covered persons to “Know Their Data” and “Know Their Vendors.”

In this post, we discuss why U.S. organizations across all industries with cross-border operations – including health care / life sciences, finance, e-commerce, and research – must “know their reporting requirements,” to fully comply with the BSD Rule and its brand-new reporting obligations.   

The Rule

To recap, as EBG previously reported, the National Security Division (“NSD”) of the U.S. Department of Justice (“DOJ”) issued the BSD Rule, which imposed a new compliance framework for organizations engaging in cross-border business activity. In short, the BSD Rule prohibits and/or restricts U.S. persons and companies from engaging in what are deemed “covered transactions” – or provision of access to U.S. sensitive and government-related data – with countries of concern (China – including Hong Kong and Macau, Russia, Iran, North Korea, Cuba, and Venezuela), covered persons affiliated with those countries of concern, and foreign intermediaries who may provide access to bulk data to end-users falling into one of those designations.

The Reporting Obligations

It is not enough for stakeholders to internally audit and inventory their data and vendor relationships – beginning March 1, 2026, U.S. organizations must report their covered activity pursuant to Subpart K under the Rule.

The BSD Rule provides four basic categories of reporting obligations:

Reports in Response to an NSD Request (28 CFR § 202.1102)

• Section 202.1102 requires every person to furnish under oath, in the form of reports or otherwise, from time to time and at any time as may be required by NSD, complete information relative to any act or covered data transaction.

Annual Reports for Restricted Transactions (28 CFR § 202.1103)

• Section 202.1103 requires U.S. persons engaged in restricted transactions involving cloud-computing services or that have 25% or more of the person’s equity interests owned (directly or indirectly) by a country of concern or covered person to file annual reports with NSD.
• Reports must be filed by March 1 of the year following the year of the report.
• Unless otherwise permitted by the Rule, U.S. persons may not knowingly engage in a covered data transaction involving a vendor agreement, employment agreement, or investment agreement with a country of concern or covered person unless they have implemented the Data Security Program (“DSP”) requirements imposed by the BSD Rule. Among other things, the DSP requires the establishment and implementation of risk-based procedures for verifying data flows and the identity of vendors, a robust written data compliance program, and regular audits.

Reports on Rejected Prohibited Transactions (28 CFR § 202.1104)

• The BSD Rule prohibits U.S. persons from participating in “prohibited transactions” (as that term is defined in the Rule), including covered data transactions involving data brokerage.
• Section 202.1104 requires that U.S. persons that “affirmatively” reject engaging in a prohibited data brokerage transaction must report the transaction to NSD within 14 days of the rejection. Reports must include all information in the reporting person’s possession and, at minimum, include information regarding the submitter of the report and data involved in the transaction.

Reports of a Known or Suspected Violation (28 CFR § 202.302(b))

• Section 202.302 further limits transactions providing access to U.S. sensitive data to a foreign person that is not a covered person.
• Section 202.302(a) generally prohibits U.S. persons from knowingly engaging in a transaction that involves providing access to bulk U.S. sensitive personal data (or any volume of government-related data) to any foreign person regardless of their status as a country of concern or covered person, unless they contractually require the foreign person refrain from downstream data transactions involving a country of concern.
• Further, Section 202.302(b) requires that U.S. persons who rely on this exception must report any known or suspected violations of the contractual requirement within 14 days of learning of the suspected violation. Such reports may constitute a voluntary self-disclosure, but the NSD has indicated that it would evaluate this status on a fact-specific basis.
• Importantly, U.S. persons subject to these reporting requirements must retain full and accurate records of each transaction engaged in for at least 10 years after the date of such transaction.

Who Must Report

The Rule imposes the above-described reporting obligations on any U.S. person or entity that engages in the conduct described herein. There is no size or revenue threshold: small businesses, nonprofits, and individuals are subject to the Rule on the same footing with large enterprises.

Industries with heightened exposure include:

• Life sciences, pharmaceutical, and clinical research organizations handling genomic or health data;

• Financial services and private equity firms with cross-border investment or vendor relationships;

• Technology and SaaS companies processing large volumes of U.S. user data; and

• Manufacturers with global supply chains that involve data-sharing with overseas affiliates.

Penalties for Noncompliance

The Rule carries substantial civil and criminal exposure. Civil penalties may reach $368,136 per violation or twice the value of the underlying transaction, whichever is greater. Criminal liability — available for willful violations — can result in fines of up to $1 million and imprisonment of up to 20 years. The DOJ has publicly signaled its intent to pursue enforcement vigorously, and both the transacting entity and responsible individuals may be held liable.

Priority Action Steps

Given the March 1, 2026 reporting deadline has now passed, organizations should move quickly to:

• Audit international data flows for transactions that occurred in 2025 and involved covered persons or countries of concern;

• Document restricted transactions and ensure all requirements under the DSP are met;

• Review and update vendor, employment, and investment contracts to include required representations, warranties, and data flow restrictions;

• Establish a recurring compliance calendar to track ongoing restricted transactions and capture the data required for future annual reports; and

• Implement a process for logging declined covered data transactions and documenting any suspected violations identified internally.

Looking Ahead

The BSD Rule represents a fundamental shift in how U.S. companies must think about cross-border data sharing and access. Unlike conventional privacy regulations focused on consumer notice and consent, this framework is grounded in national security and imposes strict liability regardless of intent. U.S. companies should heed compliance with this new regulatory framework now, to avoid enforcement potential down the line.