October 6, 2025 • 15 mins
Your “encrypted” data may still be regulated and today the rules start to bite. We unpack how the Department of Justice’s Data Security Program moves from guidance to strict enforcement and why it reframes data governance as a national security mandate. From redefining “covered data” to treating anonymized and encrypted datasets as in-scope when they enable linkage or inference, we walk through what changes right now for risk leaders, counsel, and compliance teams.
We detail the two buckets that matter: prohibited transfers that stop cold, and restricted transfers that demand verifiable, ongoing controls. You’ll hear how the rule targets six countries of concern, China, Russia, Iran, North Korea, Cuba, and Venezuela, and why your contracts, audits, and vendor oversight must reach beyond first-line providers into sub-processors and hidden supply-chain links. We share a practical playbook: deep data mapping across systems and shadow IT, tiered vendor due diligence that verifies beneficial ownership and jurisdictional exposure, and contract clauses that add audit rights, localization, and explicit DSP obligations. Training becomes the connective tissue so sales, procurement, and operations can spot and halt restricted transactions before they happen.
Zooming out, we connect compliance to resilience. Treat this as a defense capability: build architectures that segment sensitive data, constrain cross-border flows, and maintain auditable trails. Prepare for forced decoupling scenarios with diversified providers and kill-switches. The hard question we leave you with: how many tiers deep should your due diligence go to prove control under this new national security lens? Press play to learn the steps to take today, and the mindset shift that will keep you both compliant and resilient. If this was useful, follow the show, share it with your team, and leave a review so more leaders can find it.
Don't forget to subscribe on your favorite podcast platform—whether it's Apple Podcasts, Spotify, or Amazon Music.
Please contact us directly at info@wheelhouseadvisors.com or feel free to connect with us on LinkedIn and X.com.
Visit www.therisktechjournal.com and www.rtj-bridge.com to learn more about the topics discussed in today's episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sam Jones (00:00):
Welcome back to the deep dive.
Today we're really focusing inuh putting all our attention on
something huge happening rightnow.
It's a massive shift,potentially really disruptive in
how we think about datagovernance and frankly national
security.
We're diving deep into the USDepartment of Justice's data
security program.
You'll hear it called the DSP.
It was authorized underExecutive Order 14117.
(00:20):
And I mean, it fundamentallyredraws the lines for how
organizations handle sensitiveAmerican data, especially when
foreign entities are involved.
Our mission today is simple tocut through the jargon, the
legalese, and really distillwhat this means for you.
If you're a risk leader, acompliance officer, legal
counsel, listen up.
Because today, October 6th,2025, that's the date, the
critical enforcement date.
(00:41):
That short grace period thatstarted back in April, it's
over.
Noncompliance now carriesimmediate weight.
Ori Wellington (00:46):
It really does.
That switch, you know, fromjust guidance to actual strict
enforcement, it changes thewhole compliance picture, like
overnight.
The time to get ready is gone.
The DOJ now expects, activelyexpects, organizations to show
control.
If your company handles largeamounts of U.S.
personal data orgovernment-related data, this
(01:07):
isn't some nice to have anymore.
It's immediate liability.
Sam Jones (01:10):
Aaron Powell Okay, liability.
So what's the core driver here?
Why this?
Why now?
Well, the core purpose of theDSP is actually pretty
straightforward.
It's designed to stop the bulktransfer of Americans' really
sensitive personal or governmentdata, specifically to places,
to jurisdictions.
The U.S.
considers national securityrisks.
So the stakes feel almostexistential then.
It's not just hoping you'redoing the right thing anymore.
(01:32):
What's the absolute baselinerequirement starting today?
Okay, starting immediately,like right now, companies must
implement and maintain averifiable written compliance
program.
And verifiable is the key wordthere.
It's a huge distinction.
It's not just about, you know,drafting some policy and
sticking it in a drawer.
You have to be able to prove itwith documents, with audit
(01:52):
trails.
You need to show you knowexactly where your cover data
lives, who's got access to it,and critically, how that data
stays protected when it's sharedor processed across borders,
especially with certain foreignpartners.
And if you can't prove it.
Ori Wellington (02:07):
If you can't prove it, well, the DOJ sees
that as a failure to comply,plain and simple.
And that opens the door toimmediate penalties.
Okay, let's unpack thatdefinition of covered data,
because I think this is wherethe scope gets, well, frankly,
shocking for a lot of folks.
The DOJ didn't just stick tothe obvious things, did they?
No, not at all.
They've defined this reallybroad range of sensitive
(02:29):
categories.
You've got personalidentifiers, naturally, but then
health information, geneticdata, financial details,
biometrics, even preciselocation data.
I mean, that list alone pullsin almost every major tech and
finance company, doesn't it?
It absolutely does.
But wait, here's the realkicker.
The genuine compliancelandmine, the part that could
(02:51):
totally change your techrequirements.
Sam Jones (02:52):
Okay.
Ori Wellington (02:53):
It's about anonymized and encrypted data.
Wait, hang on.
If data is encrypted, isn'tthat the whole point?
Isn't it supposed to beprotected?
Are you saying the DOJ justsort of bypassed traditional
data masking as a defense?
That's exactly what I'm saying.
The rule explicitly states thateven data that's been
anonymized or encrypted canstill qualify as covered data.
(03:14):
The condition is if that datacan somehow be linked back to
individuals or if it can be usedto infer sensitive insights
about Americans.
Wow.
Think about what that means.
If you run, say, machinelearning models on encrypted
data sets, and those models letyou deduce health trends or
maybe mobility patterns ofAmericans, that data, even
though encrypted, is stillrestricted under this rule.
Sam Jones (03:37):
Okay, for anyone listening in data science or
maybe fintech, that just soundslike their compliance job got
ten times harder.
They basically have to treatmass data almost like it's live
PII now, because the potentialfor re-identification is seen as
too big a national securityrisk.
Ori Wellington (03:51):
Precisely.
It widens the net far beyondwhat most companies
traditionally track or worryabout.
Sam Jones (03:56):
And this incredibly broad definition of data.
It's then applied veryspecifically, geopolitically
speaking.
Ori Wellington (04:02):
Yes, it's paired with a focused geopolitical
line.
The rule targets six specificcountries of concern.
This ensures the complianceeffort, the resources are really
centered on preventing dataflow to those jurisdictions the
U.S.
views as the highest risk.
And those countries are.
China, Russia, Iran, North Korea, Cuba, and
Venezuela.
unknown (04:23):
Okay.
Sam Jones (04:23):
So China, Russia, Iran, North Korea, Cuba,
Venezuela, if your organizationhas any kind of data processing,
any operational ties, uh,vendors, partners in those
countries, you absolutely needto know which restriction level
applies because there are two,right?
Correct.
The DOJA created a pretty clearspectrum here, moving away from
maybe past ambiguities.
You've got two main buckets.
(04:44):
And understand which bucketyour transaction falls into
basically dictates your wholecompliance strategy.
What's the first bucket?
Ori Wellington (04:51):
First, you have prohibited transactions.
This is exactly what it soundslike.
Hard stop, full stop, notransfers allowed, no licenses
available, no exceptions.
This typically applies tospecific types of highly
sensitive government data or uhcertain bulk data sets deemed
too critical.
Sam Jones (05:06):
So if you're dealing with that kind of data related
to those countries, the messageis severities, ensure it cannot
move.
Period.
Ori Wellington (05:15):
Period.
That's it.
Sam Jones (05:16):
Okay, what's the second category?
Ori Wellington (05:17):
Then you have restricted transactions.
Now, these aren't bannedcompletely, but and this is a
big but, they are only permittedif the company meets some
incredibly strict ongoingrequirements.
Sam Jones (05:28):
And this is likely where most multinational
companies are going to feel theheat right.
This is where the bulk of thework and probably the expense
lies.
Ori Wellington (05:35):
I think that's right.
For restricted transfers, thecore demand is proof.
Establishing an auditable papertrail and showing rigorous
continuous due diligence.
To stay compliant here,organizations basically need
systems up now to document everysingle relevant data exchange.
You have to confirm the trueownership structure of your
foreign counterparties, no showgames.
(05:57):
You need to assess theirforeign risk exposure and
perform annual audits.
And remember, those annualaudits, the clock starts now.
They begin immediately.
Sam Jones (06:06):
Okay, that raises a really critical point about just
feasibility.
For the chief complianceofficer listening right now,
hearing implement a verifiableprogram overnight, including
annual audits starting now.
That sounds, well, daunting.
What if a company uses standardcommercial software?
You know, off-the-shelf stuffwhere they maybe can't easily
(06:27):
see the entire underlying datapipeline.
Are they really expected to be100% compliant today?
Ori Wellington (06:33):
Look, the expectation is that you have a
documented plan and you areexecuting it now.
Sam Jones (06:37):
Yeah.
Ori Wellington (06:38):
Immediately.
The DOJ isn't naive.
They understand this involvesmajor infrastructure shifts for
some companies.
But the liability phase, thathas begun.
So they expect that datamapping work is already
underway.
They expect vendor vetting is atop priority.
You essentially have to assumeliability for any blind spots
now.
Ignorance isn't an excuse.
Sam Jones (06:56):
Right.
Okay.
So let's dig into thoseimmediate practical steps
because this really does reshapehow companies use global data
infrastructure.
If I'm leading this effortinside my organization, what are
the say first three things Iabsolutely must demand from my
teams like today?
Ori Wellington (07:09):
Okay, number one, internal mapping.
And I mean deep mapping.
This goes way beyond justknowing where your main
databases are.
You've got to comprehensivelymap your data flows, find every
category of sensitive covereddata, pinpoint exactly when and
where it interacts with anysystem.
That includes internal shadowIT systems, by the way.
Any system that might connecteven indirectly to foreign
(07:31):
operations in those countries ofconcern.
It's like diagnosing yourentire data infrastructure for
hidden risks.
Sam Jones (07:37):
Okay, map the internal landscape first.
Got it.
But that data doesn't just sitthere, right?
It moves.
So that immediately forces youto look outward at who you share
it with globally.
Ori Wellington (07:46):
Exactly.
Step two, evaluate your foreignvendors and cloud services.
This is critical and honestlyprobably the most challenging
part for many.
Most businesses rely on dozens,maybe hundreds, of third-party
providers.
You now must vet them forjurisdictional exposure related
to those six countries.
Sam Jones (08:04):
And it's not just your direct vendor, is it?
Ori Wellington (08:06):
No.
The DOJ expects you to lookdeeper.
Assess not just your directbarger, but potentially their
supply chain too, the subvendors.
If your primary foreign partneruses a subprocessor operating
out of one of the countries ofconcern, guess what?
That risk flows up to you.
It becomes your complianceproblem.
Sam Jones (08:24):
Wow, okay.
That supplier risk just got waymore complex, which leads
directly to needing immediateaction on contracts, I assume.
Ori Wellington (08:32):
Absolutely.
Step three is contracts.
They need updating right now.
This isn't just good practice.
It's a legal requirement withreal operational teeth.
You need to insert new, strictdata handling clauses.
They should specificallyreference the DSP guidance.
They need to require yourcounterparties to prove their
own compliance posture, maybethrough audit rights.
(08:52):
And beyond just the contracts,organizations really need to
immediately set up internalgovernance, clear reporting
frameworks.
There needs to be documentedaccountability for DSP rules
right up to the executive level.
Sam Jones (09:04):
And you can't forget the people actually doing the
work day to day.
The human element.
Training must be front andcenter, wouldn't you say?
Ori Wellington (09:10):
Oh, absolutely crucial.
Training employees is vital.
Especially people in roles likesales, procurement, operations,
the ones making deals orsetting up processes.
They need to be able to spot apotentially restricted
transaction before it happens.
They need to understand thisisn't just some IT problem or a
legal thing handled elsewhere.
It's an operational issue now.
(09:30):
And getting it wrong could leadto severe consequences for the
company.
Sam Jones (09:34):
Aaron Powell, What kind of consequences are we
talking?
Ori Wellington (09:36):
Well, there's the official stuff, civil
penalties, potentially evencriminal enforcement, depending
on the severity and intent.
But honestly, the bigger, maybelonger lasting consequence,
losing trust, losingreputational standing, both
commercially and, you know,nationally.
That's catastrophic.
Aaron Powell, Jr.
Sam Jones (09:53):
So stepping back a bit, what does this all mean in
the bigger picture?
This feels like it's about morethan just ticking compliance
boxes for data rules.
It feels like a fundamentalshift where data privacy has
been sort of merged or elevatedinto a core national security
mandate.
That's precisely the synthesishere, I think.
The data security program, theDSP, it signals this powerful
(10:15):
new alignment.
Handling sensitive data is nolonger just a technical issue
or, you know, regulatorycompliance task you assign to
the back office.
It's been institutionalized nowas a fundamental geopolitical
challenge.
It forces us, all of us, tomanage data responsibly, right
where those digital boundariessmash up against national
security interests.
(10:36):
Interesting.
Is there a framework forthinking about this kind of
intersection?
Yeah, actually, if you look atit through an integrated risk
management lens and IRMperspective, like described in
some of our source materials,the DSP really underscores the
connection, the indivisibilityof resilience and compliance.
Okay, explain that.
Resilience being what?
The ability to anticipate thesekinds of global shifts and
(10:59):
withstand them without your corebusiness falling apart.
Ori Wellington (11:01):
Aaron Powell Exactly.
Resilience is about adaptingwithstanding shocks.
And compliance in this contextis the verifiable, auditable
action you take to meet theletter and the spirit of this
new law.
The two are now completelyintertwined by this rule.
Sam Jones (11:15):
So the lesson for every risk leader listening.
Ori Wellington (11:18):
The lesson is unmistakable.
Regulatory compliance hasfundamentally changed.
It's transformed.
It is no longer just areporting function or a cost
center.
It's now a frontline defensemechanism.
This mandate makes it crystalclear.
Your operational resilience,and frankly, the nation's
ability to protect its interestsand citizens is now being
(11:38):
fought partly through meticulousdata protection protocols.
Sam Jones (11:41):
Right.
Which brings us right back totoday, October 6th, 2025.
This milestone isn't just aboutchecking a box on a form
somewhere.
It's truly about redefiningwhat responsible data
stewardship means in a worldwhere digital operations and
geopolitical borders areconstantly colliding.
Ori Wellington (11:57):
It demands a whole new level of due
diligence, one that has toextend deep, deep into your
supply chain, deeper than mostare probably used to.
Sam Jones (12:04):
And I think that leads us perfectly into our
final provocative thought.
Something for you to reallychew on as you process all this
critical information.
Given that incredibly expansivedefinition of covered data,
especially including anonymizedand encrypted data, if it can be
linked back the real test forcompliance, it isn't just about
auditing your own internalsystems, is it?
Ori Wellington (12:26):
No, it goes beyond that.
Sam Jones (12:27):
It's about auditing your partners' partners.
And maybe their partners.
So the question is just howmany tiers deep does your due
diligence truly need to go now?
How far down the supply chainmust you look to ensure you are
fully compliant in thisdemanding new national security
landscape?
Ori Wellington (12:44):
A challenging question indeed.
Thank you for joining us forthis crucial deep dive.
Sam Jones (12:48):
We'll see you next time.
Welcome back to the deep dive.
Today we're really focusing inuh putting all our attention on
something huge happening rightnow.
It's a massive shift,potentially really disruptive in
how we think about datagovernance and frankly national
security.
We're diving deep into the USDepartment of Justice's data
security program.
You'll hear it called the DSP.
It was authorized underExecutive Order 14117.
(00:20):
And I mean, it fundamentallyredraws the lines for how
organizations handle sensitiveAmerican data, especially when
foreign entities are involved.
Our mission today is simple tocut through the jargon, the
legalese, and really distillwhat this means for you.
If you're a risk leader, acompliance officer, legal
counsel, listen up.
Because today, October 6th,2025, that's the date, the
critical enforcement date.
(00:41):
That short grace period thatstarted back in April, it's
over.
Noncompliance now carriesimmediate weight.
Ori Wellington (00:46):
It really does.
That switch, you know, fromjust guidance to actual strict
enforcement, it changes thewhole compliance picture, like
overnight.
The time to get ready is gone.
The DOJ now expects, activelyexpects, organizations to show
control.
If your company handles largeamounts of U.S.
personal data orgovernment-related data, this
(01:07):
isn't some nice to have anymore.
It's immediate liability.
Sam Jones (01:10):
Aaron Powell Okay, liability.
So what's the core driver here?
Why this?
Why now?
Well, the core purpose of theDSP is actually pretty
straightforward.
It's designed to stop the bulktransfer of Americans' really
sensitive personal or governmentdata, specifically to places,
to jurisdictions.
The U.S.
considers national securityrisks.
So the stakes feel almostexistential then.
It's not just hoping you'redoing the right thing anymore.
(01:32):
What's the absolute baselinerequirement starting today?
Okay, starting immediately,like right now, companies must
implement and maintain averifiable written compliance
program.
And verifiable is the key wordthere.
It's a huge distinction.
It's not just about, you know,drafting some policy and
sticking it in a drawer.
You have to be able to prove itwith documents, with audit
(01:52):
trails.
You need to show you knowexactly where your cover data
lives, who's got access to it,and critically, how that data
stays protected when it's sharedor processed across borders,
especially with certain foreignpartners.
And if you can't prove it.
Ori Wellington (02:07):
If you can't prove it, well, the DOJ sees
that as a failure to comply,plain and simple.
And that opens the door toimmediate penalties.
Okay, let's unpack thatdefinition of covered data,
because I think this is wherethe scope gets, well, frankly,
shocking for a lot of folks.
The DOJ didn't just stick tothe obvious things, did they?
No, not at all.
They've defined this reallybroad range of sensitive
(02:29):
categories.
You've got personalidentifiers, naturally, but then
health information, geneticdata, financial details,
biometrics, even preciselocation data.
I mean, that list alone pullsin almost every major tech and
finance company, doesn't it?
It absolutely does.
But wait, here's the realkicker.
The genuine compliancelandmine, the part that could
(02:51):
totally change your techrequirements.
Sam Jones (02:52):
Okay.
Ori Wellington (02:53):
It's about anonymized and encrypted data.
Wait, hang on.
If data is encrypted, isn'tthat the whole point?
Isn't it supposed to beprotected?
Are you saying the DOJ justsort of bypassed traditional
data masking as a defense?
That's exactly what I'm saying.
The rule explicitly states thateven data that's been
anonymized or encrypted canstill qualify as covered data.
(03:14):
The condition is if that datacan somehow be linked back to
individuals or if it can be usedto infer sensitive insights
about Americans.
Wow.
Think about what that means.
If you run, say, machinelearning models on encrypted
data sets, and those models letyou deduce health trends or
maybe mobility patterns ofAmericans, that data, even
though encrypted, is stillrestricted under this rule.
Sam Jones (03:37):
Okay, for anyone listening in data science or
maybe fintech, that just soundslike their compliance job got
ten times harder.
They basically have to treatmass data almost like it's live
PII now, because the potentialfor re-identification is seen as
too big a national securityrisk.
Ori Wellington (03:51):
Precisely.
It widens the net far beyondwhat most companies
traditionally track or worryabout.
Sam Jones (03:56):
And this incredibly broad definition of data.
It's then applied veryspecifically, geopolitically
speaking.
Ori Wellington (04:02):
Yes, it's paired with a focused geopolitical
line.
The rule targets six specificcountries of concern.
This ensures the complianceeffort, the resources are really
centered on preventing dataflow to those jurisdictions the
U.S.
views as the highest risk.
And those countries are.
China, Russia, Iran, North Korea, Cuba, and
Venezuela.
unknown (04:23):
Okay.
Sam Jones (04:23):
So China, Russia, Iran, North Korea, Cuba,
Venezuela, if your organizationhas any kind of data processing,
any operational ties, uh,vendors, partners in those
countries, you absolutely needto know which restriction level
applies because there are two,right?
Correct.
The DOJA created a pretty clearspectrum here, moving away from
maybe past ambiguities.
You've got two main buckets.
(04:44):
And understand which bucketyour transaction falls into
basically dictates your wholecompliance strategy.
What's the first bucket?
Ori Wellington (04:51):
First, you have prohibited transactions.
This is exactly what it soundslike.
Hard stop, full stop, notransfers allowed, no licenses
available, no exceptions.
This typically applies tospecific types of highly
sensitive government data or uhcertain bulk data sets deemed
too critical.
Sam Jones (05:06):
So if you're dealing with that kind of data related
to those countries, the messageis severities, ensure it cannot
move.
Period.
Ori Wellington (05:15):
Period.
That's it.
Sam Jones (05:16):
Okay, what's the second category?
Ori Wellington (05:17):
Then you have restricted transactions.
Now, these aren't bannedcompletely, but and this is a
big but, they are only permittedif the company meets some
incredibly strict ongoingrequirements.
Sam Jones (05:28):
And this is likely where most multinational
companies are going to feel theheat right.
This is where the bulk of thework and probably the expense
lies.
Ori Wellington (05:35):
I think that's right.
For restricted transfers, thecore demand is proof.
Establishing an auditable papertrail and showing rigorous
continuous due diligence.
To stay compliant here,organizations basically need
systems up now to document everysingle relevant data exchange.
You have to confirm the trueownership structure of your
foreign counterparties, no showgames.
(05:57):
You need to assess theirforeign risk exposure and
perform annual audits.
And remember, those annualaudits, the clock starts now.
They begin immediately.
Sam Jones (06:06):
Okay, that raises a really critical point about just
feasibility.
For the chief complianceofficer listening right now,
hearing implement a verifiableprogram overnight, including
annual audits starting now.
That sounds, well, daunting.
What if a company uses standardcommercial software?
You know, off-the-shelf stuffwhere they maybe can't easily
(06:27):
see the entire underlying datapipeline.
Are they really expected to be100% compliant today?
Ori Wellington (06:33):
Look, the expectation is that you have a
documented plan and you areexecuting it now.
Sam Jones (06:37):
Yeah.
Ori Wellington (06:38):
Immediately.
The DOJ isn't naive.
They understand this involvesmajor infrastructure shifts for
some companies.
But the liability phase, thathas begun.
So they expect that datamapping work is already
underway.
They expect vendor vetting is atop priority.
You essentially have to assumeliability for any blind spots
now.
Ignorance isn't an excuse.
Sam Jones (06:56):
Right.
Okay.
So let's dig into thoseimmediate practical steps
because this really does reshapehow companies use global data
infrastructure.
If I'm leading this effortinside my organization, what are
the say first three things Iabsolutely must demand from my
teams like today?
Ori Wellington (07:09):
Okay, number one, internal mapping.
And I mean deep mapping.
This goes way beyond justknowing where your main
databases are.
You've got to comprehensivelymap your data flows, find every
category of sensitive covereddata, pinpoint exactly when and
where it interacts with anysystem.
That includes internal shadowIT systems, by the way.
Any system that might connecteven indirectly to foreign
(07:31):
operations in those countries ofconcern.
It's like diagnosing yourentire data infrastructure for
hidden risks.
Sam Jones (07:37):
Okay, map the internal landscape first.
Got it.
But that data doesn't just sitthere, right?
It moves.
So that immediately forces youto look outward at who you share
it with globally.
Ori Wellington (07:46):
Exactly.
Step two, evaluate your foreignvendors and cloud services.
This is critical and honestlyprobably the most challenging
part for many.
Most businesses rely on dozens,maybe hundreds, of third-party
providers.
You now must vet them forjurisdictional exposure related
to those six countries.
Sam Jones (08:04):
And it's not just your direct vendor, is it?
Ori Wellington (08:06):
No.
The DOJ expects you to lookdeeper.
Assess not just your directbarger, but potentially their
supply chain too, the subvendors.
If your primary foreign partneruses a subprocessor operating
out of one of the countries ofconcern, guess what?
That risk flows up to you.
It becomes your complianceproblem.
Sam Jones (08:24):
Wow, okay.
That supplier risk just got waymore complex, which leads
directly to needing immediateaction on contracts, I assume.
Ori Wellington (08:32):
Absolutely.
Step three is contracts.
They need updating right now.
This isn't just good practice.
It's a legal requirement withreal operational teeth.
You need to insert new, strictdata handling clauses.
They should specificallyreference the DSP guidance.
They need to require yourcounterparties to prove their
own compliance posture, maybethrough audit rights.
(08:52):
And beyond just the contracts,organizations really need to
immediately set up internalgovernance, clear reporting
frameworks.
There needs to be documentedaccountability for DSP rules
right up to the executive level.
Sam Jones (09:04):
And you can't forget the people actually doing the
work day to day.
The human element.
Training must be front andcenter, wouldn't you say?
Ori Wellington (09:10):
Oh, absolutely crucial.
Training employees is vital.
Especially people in roles likesales, procurement, operations,
the ones making deals orsetting up processes.
They need to be able to spot apotentially restricted
transaction before it happens.
They need to understand thisisn't just some IT problem or a
legal thing handled elsewhere.
It's an operational issue now.
(09:30):
And getting it wrong could leadto severe consequences for the
company.
Sam Jones (09:34):
Aaron Powell, What kind of consequences are we
talking?
Ori Wellington (09:36):
Well, there's the official stuff, civil
penalties, potentially evencriminal enforcement, depending
on the severity and intent.
But honestly, the bigger, maybelonger lasting consequence,
losing trust, losingreputational standing, both
commercially and, you know,nationally.
That's catastrophic.
Aaron Powell, Jr.
Sam Jones (09:53):
So stepping back a bit, what does this all mean in
the bigger picture?
This feels like it's about morethan just ticking compliance
boxes for data rules.
It feels like a fundamentalshift where data privacy has
been sort of merged or elevatedinto a core national security
mandate.
That's precisely the synthesishere, I think.
The data security program, theDSP, it signals this powerful
(10:15):
new alignment.
Handling sensitive data is nolonger just a technical issue
or, you know, regulatorycompliance task you assign to
the back office.
It's been institutionalized nowas a fundamental geopolitical
challenge.
It forces us, all of us, tomanage data responsibly, right
where those digital boundariessmash up against national
security interests.
(10:36):
Interesting.
Is there a framework forthinking about this kind of
intersection?
Yeah, actually, if you look atit through an integrated risk
management lens and IRMperspective, like described in
some of our source materials,the DSP really underscores the
connection, the indivisibilityof resilience and compliance.
Okay, explain that.
Resilience being what?
The ability to anticipate thesekinds of global shifts and
(10:59):
withstand them without your corebusiness falling apart.
Ori Wellington (11:01):
Aaron Powell Exactly.
Resilience is about adaptingwithstanding shocks.
And compliance in this contextis the verifiable, auditable
action you take to meet theletter and the spirit of this
new law.
The two are now completelyintertwined by this rule.
Sam Jones (11:15):
So the lesson for every risk leader listening.
Ori Wellington (11:18):
The lesson is unmistakable.
Regulatory compliance hasfundamentally changed.
It's transformed.
It is no longer just areporting function or a cost
center.
It's now a frontline defensemechanism.
This mandate makes it crystalclear.
Your operational resilience,and frankly, the nation's
ability to protect its interestsand citizens is now being
(11:38):
fought partly through meticulousdata protection protocols.
Sam Jones (11:41):
Right.
Which brings us right back totoday, October 6th, 2025.
This milestone isn't just aboutchecking a box on a form
somewhere.
It's truly about redefiningwhat responsible data
stewardship means in a worldwhere digital operations and
geopolitical borders areconstantly colliding.
Ori Wellington (11:57):
It demands a whole new level of due
diligence, one that has toextend deep, deep into your
supply chain, deeper than mostare probably used to.
Sam Jones (12:04):
And I think that leads us perfectly into our
final provocative thought.
Something for you to reallychew on as you process all this
critical information.
Given that incredibly expansivedefinition of covered data,
especially including anonymizedand encrypted data, if it can be
linked back the real test forcompliance, it isn't just about
auditing your own internalsystems, is it?
Ori Wellington (12:26):
No, it goes beyond that.
Sam Jones (12:27):
It's about auditing your partners' partners.
And maybe their partners.
So the question is just howmany tiers deep does your due
diligence truly need to go now?
How far down the supply chainmust you look to ensure you are
fully compliant in thisdemanding new national security
landscape?
Ori Wellington (12:44):
A challenging question indeed.
Thank you for joining us forthis crucial deep dive.
Sam Jones (12:48):
We'll see you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!