DOJ’s New Frontier: Regulation, Oversight, and Enforcement of Ex-U.S. Data Transfers
Client Alert | April 16, 2025
New U.S. Department of Justice regulations are now in effect, imposing significant restrictions on the flow of bulk sensitive personal data and government-related data from the United States to China and other “countries of concern.”
On April 8, 2025, new regulations[1] came into effect to address broad national security risks related to sensitive personal data and U.S. government-related data (the “Rule”). The Rule is the cornerstone of the U.S. Department of Justice’s (DOJ’s) new Data Security Program (DSP). The Rule, in concert with a Compliance Guide,[2] more than 100 Frequently Asked Questions (FAQs),[3] and an Implementation and Enforcement Policy[4] released in connection with a press release[5] on April 11, 2025, launch DOJ into a new role as data regulator—and impose broad-reaching obligations for U.S. and multinational organizations to comply with new restrictions on cross-border transfers of Americans’ sensitive personal data. The DSP marks a significant shift in U.S. policy towards the free cross-border flow of data.
The Rule, implemented by DOJ’s National Security Division pursuant to President Biden’s 2024 Executive Order 14117,[6] addresses national security threats relating to the “weaponization” of sensitive personal data that have been a consistent focus across both the first Trump administration and the recent Biden administration. Indeed, the Rule was finalized in the waning days of the Biden administration but was subject to a 90-day period before becoming effective.[7] In DOJ’s announcement, Deputy Attorney General Todd Blanche made DOJ’s policy goals clear, stating, “If you’re a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans’ data when you can just buy it on the open market or force a company under your jurisdiction to give you access? … The Data Security Program makes getting that data a lot harder.[8]
The Rule will meaningfully alter international data flows—including intracompany transfers—involving Americans’ sensitive personal data and U.S. government-related data. Specifically, it will prohibit or restrict “covered data transactions” that involve the sharing of or access to such data by “covered persons” or a “country of concern” (most importantly, the People’s Republic of China, inclusive of Hong Kong and Macau).
The DSP Compliance Guide and Implementation and Enforcement Policy signal this will be an area of focus for DOJ. These documents outline robust steps that entities must promptly undertake to ensure compliance under the Rule. Notably, the Compliance Guide contains prescriptive requirements that highlight the expectation that entities handling U.S. sensitive personal data and/or U.S. government-related data will have a keen understanding of their data, who has access to such data, whether they engage in covered data transactions, and will develop and implement a tailored compliance program to ensure regulatory requirements are met.
DOJ has noted in the Implementation and Enforcement Policy that it will not prioritize civil enforcement actions for violations occurring between April 8 and July 8, 2025 as long as companies make “good faith efforts to comply with or come into compliance with” the Rule, though DOJ “will pursue penalties and other enforcement actions as appropriate for egregious, willful violations.”[9]
While the Rule is complex and requires careful analysis to assess compliance requirements, below are high-level areas of impact on which companies should focus to assess their obligations under the Rule and to ensure compliance:
- Review your data and data flows. Know your data. Understand (i) the nature, volume, geographic location and cybersecurity measures pertaining to covered data and (ii) where you are sending your data – and who has access. This should include review of intracompany transfers and access, as well as access by counterparties and vendors. The Compliance Guide highlights the importance of ascertaining the identity of parties to a covered data transaction and the end-use of the data, as well as the method of transfer.
- Assess impact of the regulatory prohibitions and restrictions. Conduct legal analysis of covered data transactions to assess whether such transactions are prohibited or restricted under the Rule, and whether any potential exemptions may apply. While the Rule includes exemptions to facilitate the continued cross-border flow of data, these exemptions are narrow and often complex to apply in practice.
- Develop and implement a tailored compliance program. A comprehensive risk assessment may facilitate the development of a compliance approach tailored to the nature and scope of covered data transactions. The compliance program should also address the various auditing, reporting, and recordkeeping requirements required under the Rule. The Compliance Guide and FAQs provide detailed guidance on DOJ’s expectations for compliance programs, including written policies and procedures, due diligence protocols, senior leader and board review of annual attestations, training, and testing of internal controls.
- Establish the tone from the top—and resource the compliance team. DOJ is clear that a strong program will have senior management support and buy-in and set forth specific responsibilities for senior leadership. Notably, the CEO and board of directors are expected to review annual attestations and compliance reports—which must include whether the CEO has met with compliance personnel to discuss the DSP implementation, as well as engaged appropriate outside experts to verify the statements made in the annual certification. Companies are also expected to designate an individual with sufficient authority, technical expertise, and resourcing to lead the development and implementation of the data compliance program.
- Expect this landscape to evolve. Many open questions remain concerning the implementation of the Rule. DOJ has invited companies to submit informal inquiries about the Rule and related guidance and noted that companies can request new FAQ answers by email, though it recommended companies wait to submit requests for formal licenses or advisory opinions until after July 8, 2025.
Overview of the Rule
At the core, the Rule applies to transactions fulfilling the following three elements:
- The transaction must constitute a “covered data transaction”;
- The “covered data transaction” must involve (i) “bulk” “U.S. sensitive personal data” or (ii) “government-related data”; and
- The transaction must involve providing a “country of concern” or “covered person” with “access” to such controlled data.
Below, we present a high-level overview of the Rule and related guidance and highlight that given the complexities therein and the overall policy objectives the Rule seeks to address, it is important to also consult DOJ’s commentary throughout the rule-making process—and particularly in its final rule notice—and potentially outside counsel.
A. What types of transactions are “covered data transactions”?
“Covered data transactions” are those that involve “any access by a country of concern or covered person to any government-related data or bulk U.S. sensitive personal data and that involve[]” one of the following:[10]
- Data brokerage: “the sale of data, licensing of access to data, or similar commercial transactions … where the recipient did not collect or process the data directly from the individuals” linkable to the data;[11]
- A Vendor Agreement: “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person” for consideration;[12]
- An Employment Agreement: “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person” for consideration;[13] or
- An Investment Agreement: an “arrangement in which any person, in exchange for payment or other consideration, obtains direct or indirect ownership interests in or rights in relation to” U.S. real estate or a U.S. legal entity.[14] There is an exception for certain passive investments.[15]
B. What types of data are covered?
The Rule covers two types of data: (1) “government-related data” and (2) “bulk U.S. sensitive personal data” involved in covered data transactions.
- “Government-related data” includes the following types of data regardless of volume:
- “Bulk U.S. sensitive personal data” includes a set of “sensitive personal data relating to U.S. persons,” even if de-identified or encrypted,”[19] exceeding specified thresholds in the preceding 12 months (beginning on April 8, 2025), whether through a single or multiple covered data transactions:[20]
Data Type | Threshold |
“Human ’omic data” (i.e., genomic data and similar[21]) | 1,000 U.S. persons, or 100 persons for genomic data |
Biometric identifiers[22] | 1,000 U.S. persons |
Precise geolocation data[23] | 1,000 U.S. devices |
Personal health data[24] | 10,000 U.S. persons |
Personal financial data[25] | 10,000 U.S. persons |
“Covered personal identifiers” (see below) | 100,000 U.S. persons |
Combined data | Lowest applicable threshold of U.S. persons or U.S. devices for any controlled data in the data set |
“[C]overed personal identifiers” is a broad category that covers many types of commonly circulated personal data. To define this category, the Rule first enumerates a set of “listed identifiers” (discussed below). “Covered personal identifiers” means data containing either (1) any listed identifier combined with another listed identifier; or (2) any listed identifier combined with other data enabling it to be linked to other identifiers or other sensitive personal data.[26]
The “listed identifiers” defined by the Rule include any piece of data in these categories:
- Government identification or account numbers (e.g., Social Security numbers);
- Full financial account numbers or personal identification numbers;
- Device-based or hardware-based identifiers (e.g., “SIM” numbers);
- Demographic or contact data (e.g., name, birth date, or mailing address);
- Advertising identifiers (e.g., Google Advertising ID, Apple ID for Advertisers);
- Account-authentication data (e.g., username or password);
- Network-based identifier (e.g., IP address); or
- Call-detail data (e.g., Customer Proprietary Network Information).[27]
Thus, for example, the Rule would cover a dataset of first and last names linked to Social Security numbers or mobile advertising IDs linked to email addresses.
The Rule does exclude two categories of common data:
- Demographic or contact data that is linked only to other demographic or contact data (such as first and last name linked to an email address); and
- A network-based identifier, account-authentication data, or call-detail data linked only to other such data, when necessary to provide telecommunications, networking, or similar services.[28]
Finally, the Rule also covers combinations of multiple covered data types, or data that contains any listed identifier linked to any of the above, if any individual data-type threshold is met.
C. To whom does the Rule apply?
The Rule applies directly to “U.S. persons,” defined to include U.S. citizens, nationals, lawful permanent residents, refugees, and asylees; entities organized solely under the laws of the United States (including foreign branches of U.S. persons); and any persons within the United States.[29]
D. What recipients of information are covered?
The prohibitions and restrictions apply when U.S. persons provide “access”[30] to covered data to a “country of concern” or “covered person.”
“Countries of Concern” currently include China (including Hong Kong and Macau),[31] Cuba, Iran, North Korea, Russia, and Venezuela.[32]
“Covered Persons” include the following:[33]
- Non-U.S. entities headquartered in or organized under the laws of a country of concern;
- Non-U.S. entities 50% or more owned by a country of concern or covered person;
- Non-U.S. individuals primarily resident in a country of concern;
- Non-U.S. individuals who are employees or contractors of a covered person entity or a country-of-concern government; and
- Any person—including a U.S. person—designated to DOJ’s Covered Persons List[34] (which has not yet been publicly released).
E. What types of transactions are prohibited?
Absent a license granted by DOJ, U.S. persons are prohibited from knowingly engaging in the following types of data brokerage transactions:[35]
- Data brokerage transactions involving covered data with a country of concern or covered person;[36]
- Covered data transactions with a country of concern or covered person that involves access to bulk human ’omic data or to biospecimens from which such data could be derived;[37]
- Any transaction with the purpose of evading the regulations, or that would cause or attempt to cause a violation of the regulations;[38] and
- Any transaction in which a U.S. person knowingly directs a transaction by a non-U.S. person that would be prohibited if engaged in by a U.S. person (or that would be restricted, when the requirements for a restricted transaction are not satisfied).[39]
In addition, the Rule affects data brokerage transactions with any foreign persons, even if they are not “covered persons.” A U.S. person may not knowingly engage in any data brokerage transaction involving access to the covered data types unless the U.S. person “[c]ontractually requires that the foreign person refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person”; and “[r]eports any known or suspected violations of this contractual requirement.”[40] Reports are due to DOJ within 14 days of the U.S. person becoming aware of an actual or potential violation.[41]
Finally, under the data security requirements developed by the Cybersecurity and Infrastructure Agency (CISA) described below, even when a data transaction does not fall within the prohibitions described above, covered persons are functionally prohibited from accessing covered data “that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and countries of concern.”[42]
F. What types of transactions are restricted?
The Rule also creates a second category of “restricted transactions”: covered data transactions with a country of concern or covered person involving a (1) vendor agreement, (2) employment agreement, or (3) investment agreement.[43] U.S. persons are prohibited from engaging in such transactions unless they meet specified data security requirements developed by CISA.[44] Yet, even if the CISA security requirements are fulfilled, some covered data transactions that involve a vendor, employment, or investment agreement remain de facto prohibited by the security requirements, namely those which “involve access by countries of concern or covered persons to bulk human genomic data or human biospecimens from which such data can be derived.”[45] The CISA security requirements applicable to restricted transactions include organizational- and system-level requirements (such as cybersecurity policies, access controls, and internal risk assessments) as well as data-level requirements (such as data minimization, data masking, and encryption).[46]
As of October 6, 2025, U.S. persons must also fulfill specific due diligence and audit requirements before engaging in restricted transactions.[47] The Compliance Guide issued by DOJ on April 11, 2025, outlines a framework for compliance.[48] Due diligence programs should include, among other things, procedures for identifying the identity of vendors and written data compliance and cybersecurity policies.[49] The Rule also requires a yearly independent audit to verify compliance with the requirements.[50]
U.S. persons engaged in restricted transactions involving cloud-computing services must file annual reports to DOJ if twenty-five percent or more of the U.S. person’s equity interests are owned, directly or indirectly, by a country of concern or covered person.[51] These annual reports must contain specific components outlined in the Rule.[52]
G. What if it is unclear whether a transaction is prohibited or restricted?
If a party is unsure whether a contemplated transaction is prohibited or restricted, it may request an advisory opinion from DOJ. The agency will attempt to respond within 30 days, and the requestor may rely on the written response,[53] provided its disclosures were accurate and complete and the opinion remains in force.[54]
H. What exemptions exist?
The Rule contains a variety of exemptions, though many are narrow and require careful review to confirm that they apply. At a high level, there are exemptions for:
- Transactions involving personal communications (e.g., by telephone) that do not involve the transfer of anything of value[55] or information or informational materials;[56]
- Transactions ordinarily incident to international travel;[57]
- Official business transactions of the U.S. government;[58]
- Transactions ordinarily incident to and part of financial services, including payment processing and regulatory compliance;[59]
- Transactions within corporate entities ordinarily incident to and part of administrative or ancillary business operations such as human resources, payroll, business travel, or customer support;[60]
- Transactions required or authorized by federal law or international agreements, or necessary for compliance with federal law;[61]
- Investment agreements subject to action by the Committee on Foreign Investment in the United States;[62]
- Transactions ordinarily incident to and part of the provision of telecommunications services;[63]
- Transactions related to drug, biological product, and medical device authorizations and data necessary to obtain those authorizations;[64] and
- Transactions ordinarily incident to and part of clinical investigations and post-marketing surveillance data.[65]
The application of the Rule is likely to be especially complex when a U.S. business wishes to share information with a foreign subsidiary, which in turn may wish to share data with its own employees. U.S. businesses in this situation may wish to seek the advice of counsel.
I. Are any licenses available?
The Rule adopts a licensing structure reminiscent of sanctions and export controls. These licenses would permit otherwise prohibited or restricted transactions.[66] However, the Federal Register notice accompanying the final rule notes that DOJ anticipates that “licenses will be issued only in rare circumstances” and that their issuance may be contingent on any requirements that DOJ deems appropriate.[67] When issued, general licenses will apply to all U.S. persons unless otherwise specified, while specific licenses will apply only to the parties seeking the license for a particular transaction.[68] To date, no licenses have been released publicly.
J. Are completed transactions affected?
No, the Rule does not apply to transactions completed prior to April 8, 2025.[69] However, DOJ may request information about transactions completed before the effective date.[70]
K. What other recordkeeping requirements exist?
The Rule requires U.S. persons to generate (and save for ten years) a complete record of each non-exempt covered data transaction.[71] For restricted transactions, the Rule prescribes a specific list of documentation that must be maintained, such as annual audit results.[72] The Rule also permits DOJ to request, at any time, reports on any act, transaction, or covered data transaction subject to the Rule.[73]
Additionally, and as noted above, beginning on October 6, 2025, U.S. persons that have received and affirmatively rejected an offer from another person to engage in a prohibited data brokerage transaction must file a report within 14 days.[74]
L. What are the penalties for noncompliance?
Violations of the Rule can result in civil monetary fines of up to $374,474 per violation (an amount adjusted annually for inflation) or twice the value of the transaction, whichever is greater.[75] Criminal penalties of up to US $1,000,000 or 20 years’ imprisonment are available for willful violations.[76] As opposed to most violations under U.S. export controls and economic sanctions, which are subject to a strict liability standard, penalties under the Rule operate under a “knowledge” standard, meaning “with respect to conduct, a circumstance, or a result, that the U.S. person had actual knowledge of, or reasonably should have known about, the conduct, circumstance, or result.”[77] In determining whether an entity knew or had reason to know of the violation, DOJ has stated that it will “take into account the relevant facts and circumstances, including the relative sophistication of the individual or entity at issue, the scale and sensitivity of data involved, and the extent to which the parties to the transaction . . . appear to have been aware of and sought to evade the application of” the Rule.[78] DOJ also noted that it will take into account companies’ voluntary self-disclosures (VSDs) in assessing violations and that failure to implement data compliance programs could be an “aggravating factor in any enforcement action.”[79]
Gibson Dunn lawyers are actively advising in this space and are available to assist in addressing any questions you may have regarding these issues.
[1] See 28 C.F.R. Part 202.
[2] See Dep’t of Just., Nat’l Sec. Div., Data Security Program: Compliance Guide (Apr. 11, 2025) [hereinafter DOJ Compliance Guide], https://www.justice.gov/opa/media/1396356/dl.
[3] See U.S. Dep’t of Just., Nat’l Sec. Div., Data Security Program: Frequently Asked Questions (Apr. 11, 2025) [hereinafter DSP FAQs], https://www.justice.gov/opa/media/1396351/dl.
[4] See U.S. Dep’t of Just., Nat’l Sec. Div., Data Security Program: Implementation and Enforcement Policy Through July 8, 2025 (Apr. 11, 2025) [hereinafter DOJ Enforcement Policy], https://www.justice.gov/opa/media/1396346/dl?inline.
[5] See Press Release, U.S. Dep’t of Just., Nat’l Sec. Div., Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries (Apr. 11, 2025) [hereinafter DOJ Press Release], https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive.
[6] Exec. Order 14117, 89 Fed. Reg. 15,421 (Mar. 1, 2024).
[7] See Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 90 Fed. Reg. 1636 (Jan. 8, 2025) [hereinafter DSP Final Rule].
[8] DOJ Press Release, supra note 5.
[9] DOJ Enforcement Policy, supra note at 2.
[10] 28 C.F.R. § 202.210.
[11] Id. § 202.214. The regulations on brokerage transactions overlap significantly with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), 15 U.S.C. § 9901. Although DOJ has acknowledged that the Final Rule and PADFAA are likely to place overlapping and conflicting obligations on businesses, DOJ declined to modify the rule to harmonize it to the law. It has promised to coordinate closely with the Federal Trade Commission (FTC) to harmonize enforcement. See DSP FAQs, supra note 3, at FAQ 12.
[12] 28 C.F.R. § 202.258.
[13] Id. § 202.217.
[14] Id. § 202.228(a).
[15] See id. § 202.228(b).
[16] See id. § 202.242.
[17] See id. § 202.1401.
[18] See id. § 202.222.
[19] Id. § 202.206.
[20] DSP FAQs, supra note 3, at FAQ 38.
[21] Human genomic data, human epigenomic data, human proteomic data, and human transcriptomic data but excludes pathogen-specific data embedded in human ‘omic data sets. See 28 C.F.R. § 202.224.
[22] “[M]easurable physical characteristics or behaviors used to recognize or verify the identity of an individual.” Id. § 202.204.
[23] “[D]ata, whether real-time or historical, that identifies the physical location of an individual or a device with a precision of within 1,000 meters.” Id. § 202.242.
[24] “[H]ealth information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.” Id. § 202.241.
[25] “[D]ata about an individual’s credit, charge, or debit card, or bank account, including purchases and payment history; data in a bank, credit, or other financial statement, including assets, liabilities, debts, or trades in a securities portfolio; or data in a credit report or in a ‘consumer report’ (as defined in 15 U.S.C. 1681a(d)).” Id. § 202.240.
[26] See id. § 202.212.
[27] Id. § 202.234.
[28] Id. § 202.212(b).
[29] See id. § 202.256.
[30] “Access” is a defined term that includes among other things “the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, or otherwise view or receive” the information.” Id. § 202.201.
[31] See id. § 202.208.
[32] See id. § 202.601; see also id. § 202.209.
[33] See DSP FAQs, supra note 3, at FAQ 14; see also 28 C.F.R. § 202.211.
[34] See DSP FAQs, supra note 3, FAQs 42, 43, & 52.
[35] See id., supra note 3, at FAQ 16.
[36] 28 C.F.R. § 202.301.
[37] Id. § 202.303.
[38] Id. § 202.304.
[39] Id. § 202.305. DOJ has noted, however, that although U.S. persons must conduct “know your customer” and “know your data” due diligence on foreign persons involved in data transactions, it does not expect or require “second-level due diligence on the employment practices of those foreign persons to determine whether their employees qualify as covered persons.” DSP FAQs, supra note 3, at FAQ 58; see id. at FAQ 79.
[40] 28 C.F.R. § 202.302 (emphasis added); see DSP FAQs, supra note 3, at FAQ 62. For sample contractual language, see DOJ Compliance Guide, supra note 2, at 5–6.
[41] See 28 C.F.R. § 202.302(b).
[42] See DSP FAQs, supra note 3, at FAQ 67.
[43] See 28 C.F.R. § 202.401; see also DSP FAQs, supra note 3, at FAQ 17.
[44] See Cybersecurity & Infrastructure Sec. Agency, Security Requirements for Restricted Transactions (Jan. 3, 2025) [hereinafter CISA Security Requirements], https://www.cisa.gov/sites/default/files/2025-01/Security_Requirements_for_Restricted_Transaction-EO_14117_Implementation508.pdf.
[45] See DSP FAQs, supra note 3, at FAQ 67.
[46] See CISA Security Requirements, supra note 45; see also DSP FAQs, supra note 3, at FAQs 66, 67, & 69.
[47] 28 C.F.R. §§ 202.1001–02.
[48] See DOJ Compliance Guide, supra note 2, at 11–16.
[49] See 28 C.F.R. § 202.1001.
[50] See id. § 202.1002.
[51] See id. § 202.1103.
[52] See id.; see also DSP FAQs, supra note 3, at FAQs 87–88.
[53] See DSP FAQs, supra note 3, at FAQs 98–99.
[54] 28 C.F.R. § 202.901(i).
[55] See id. § 202.501.
[56] See id. § 202.502.
[57] See id. § 202.503.
[58] See id. § 202.504.
[59] See id. § 202.505.
[60] See id. § 202.506.
[61] See id. § 202.507.
[62] See id. § 202.508.
[63] See id. § 202.509.
[64] See id. § 202.510.
[65] See id. § 202.511.
[66] See id. §§ 202.801–202.803; see also DSP FAQs, supra note 3, at FAQs 40–41.
[67] DSP Final Rule, 90 Fed. Reg. at 1,693.
[68] 28 C.F.R. §§ 202.801–02.
[69] DSP Final Rule, 90 Fed. Reg. at 1,645.
[70] See DSP FAQs, supra note 3, at FAQ 104.
[71] See 28 C.F.R. § 202.1101(a); see also DOJ Compliance Guide, supra note 2, at 9.
[72] See 28 C.F.R. § 202.1101(b); see also DSP FAQs, supra note 3, at FAQ 92.
[73] See 28 C.F.R. § 202.1102; see also DOJ Compliance Guide, supra note 2, at 9–10.
[74] See 28 C.F.R. § 202.1104; see also DSP FAQs, supra note 3, at FAQ 64.
[75] See 28 C.F.R. § 202.1301.
[76] See id.
[77] DSP FAQs, supra note 3, at FAQ 107.
[78] Id.
[79] Id.; see DOJ Compliance Guide, supra note 2, at 11. DOJ will also accept tips concerning non-compliance from third parties and notes that individual whistleblowers “may be eligible for substantial financial awards” to incentivize compliance monitoring. DSP FAQs, supra note 3, at FAQ 106.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Privacy, Cybersecurity & Data Innovation / Artificial Intelligence, and International Trade Advisory & Enforcement, practice groups:
Privacy, Cybersecurity & Data Innovation / Artificial Intelligence:
United States:
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)
International Trade Advisory & Enforcement:
United States:
David P. Burns – Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, mweinbaum@gibsondunn.com)
Roxana Akbari – Orange County (+1 949.475.4650, rakbari@gibsondunn.com)
Karsten Ball – Washington, D.C. (+1 202.777.9341, kball@gibsondunn.com)
Mason Gauch – Houston (+1 346.718.6723, mgauch@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, cmullen@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)
Anna Searcey – Washington, D.C. (+1 202.887.3655, asearcey@gibsondunn.com)
© 2025 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.