Notifications
Clear all
Topic starter
08/06/2026 4:47 pm
TL;DR: The DOJ’s Data Security Program Rule restricts certain bulk transfers of sensitive personal data to countries of concern and pushes organisations to prove what data they hold, where it resides, who can access it, and how it is governed, according to Cyera. That makes visibility, classification, and auditable remediation a compliance control, not just a data management exercise.
NHIMG editorial — based on content published by Cyera: Operationalizing Compliance with the DOJ’s Rule for Bulk Transfers of Sensitive Personal Data
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams govern bulk sensitive data transfers under the DOJ rule?
A: They should treat bulk transfer governance as a combined data, access, and evidence problem.
Q: Why do sensitive data rules create new demands on IAM and NHI controls?
A: Because the rule depends on knowing not only where data resides, but also which humans, service accounts, and processors can access it.
Q: What breaks when organisations classify data but ignore who can access it?
A: They create a false sense of control.
Practitioner guidance
- Build a sensitive-data inventory tied to access paths Classify regulated datasets and map each one to the users, service accounts, and third-party processors that can reach it.
- Separate discovery from compliance approval Do not treat classification output as an automatic pass.
- Wire alerts into remediation workflows Route policy hits to privacy, security, and compliance owners through ticketing or messaging tools so access changes, deprovisioning, and exception approvals are recorded as part of the same case.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- The DOJ rule interpretation that distinguishes covered transactions from ordinary business exchange.
- Cyera's described classification engine for PII, PHI, and financial data across SaaS, PaaS, IaaS, DBaaS, and on-prem systems.
- Workflow examples for alerting privacy, security, and compliance teams when regulated data appears in risky access contexts.
- Audit logging and reporting details that support later attestation to regulators.
👉 Read Cyera's analysis of the DOJ bulk sensitive data rule and DSPM controls →
DOJ bulk data rules: what DSPM changes for IAM teams?
Explore further
08/06/2026 6:36 pm
Bulk sensitive data governance is now an identity problem as much as a data problem. The DOJ rule depends on knowing which people and systems can reach regulated data, which means access governance is part of compliance evidence, not a separate control plane. In practice, a dataset that is accurately classified but broadly reachable is still a governance failure, because access determines whether transfer restrictions can be enforced.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs , Key Research and Survey Results.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when sensitive personal data is transferred to a country of concern?
A: Accountability sits with the organisation that decides, allows, or fails to control the transaction. Contract language, internal access governance, and audit records all matter because they show who owned the decision and whether downstream controls were in place. If the processor is involved, that does not remove the controller’s obligation to prove control.
👉 Read our full editorial: DOJ bulk sensitive data rules raise the bar for dspm governance
