The U.S. Department of Justice (DOJ) “Data Security Program” (DSP), also known as the “Sensitive Data Rule” or “Bulk Data Rule,” has prompted numerous questions about its scope and application.
DOJ issued a list of FAQs in April 2025, which largely restated components of the rule. For the first time since April, DOJ has added an FAQ: “How can I report a possible violation of the DSP by another person?” The answer describes financial rewards and protections for whistleblowers.
On one hand, this does not provide U.S.-based companies with much additional guidance as they determine whether their data practices implicate the DSP and how to achieve compliance. On the other hand, it highlights for companies that employees, contractors, vendors, customers, and others have an incentive to report potential violations – and that companies should scrupulously adhere to guidelines that protect whistleblowers from retaliation.
Although some may be tempted to dismiss the update to DOJ’s FAQs, it is possible that this addition is just the first of more responses to come. DOJ permitted the public to informally submit questions about the DSP through early July, so this first supplemental FAQ could indicate that DOJ has been working through questions and is ready to start publishing responses on a rolling basis. Watch this space for updates.
