Cloud // Software as a Service
03:10 PM
Connect Directly
Repost This

Managing Export-Controlled Data In The Cloud

As IT pros evaluate cloud computing services, they must be aware of federal regulations that restrict where certain data gets stored, or potentially face serious penalties.

Companies evaluating cloud computing must consider the regulatory compliance implications of this new approach to computing. One area of concern is whether any of your company’s data is controlled under U.S. export control rules, including whether use of cloud services could lead to the disclosure of controlled technical data without the required export authorization.

It is important to consider export control implications of IT decisions early in the process because U.S. export control rules have a strict liability standard, meaning that a violation occurs whether the unauthorized disclosure was accidental, negligent, or intentional. Individuals, as well as companies, may be held responsible for export violations. The penalties for non-compliance are severe, ranging from $250,000 to $1,000,000 per violation. Individuals could face up to 20 years imprisonment.

The most popular cloud computing option is public cloud computing. A common example is Web-based e-mail like Google’s Gmail. In the public cloud scenario, the customer generally has no control or knowledge over the exact location of the provided resources. Usually the customer is presented with a standard service level agreement with limited or no ability to tailor the terms of use. Without the ability to tailor the service parameters to a company’s business, it is likely that public cloud solutions will not meet export compliance standards, if such needs exist.

Recently, some cloud service providers have been marketing their services as export control compliant. Knowing the basic U.S. export control rules governing technical data should help companies decide whether cloud computing services being offered to them meet their export compliance needs for all their systems and applications.

IT departments must determine whether export-controlled data may be contained on their systems and work with their legal department to formulate a plan for handling such data inside or outside of the cloud. For the purposes of this discussion, controlled technical data is data controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Typically, this information is in the form of blueprints, drawings, models, formulae, specifications, photographs, plans, instructions, or documentation regarding an export-controlled item or service.

U.S. companies are prohibited from exporting controlled technical data to certain foreign countries without an export license. For example, sending an e-mail with export-controlled technical data to a customer in India would be an export of the data to India and could require export authorization.

The rules also restrict the release of export-controlled technical data to certain foreign nationals, inside or outside the U.S., without an export authorization. (To do so would be considered an export to that person’s country of citizenship.) Companies are often surprised by this rule. For example, if an American engineer in the U.S. walks blue prints for the manufacture of an export-controlled item down the hall to his colleague who happens to be an Indian citizen, or e-mails them to him, this would be considered an export to India and could require export authorization.

Companies in the defense industry should also be aware that, under ITAR, merely giving foreign nationals access to defense technical data, whether or not the foreign national actually views it, is considered an export that requires authorization.

1 of 2
Comment  | 
Print  | 
More Insights
The next wave in APM
The next wave in APM
Find out how to get the benefits of application monitoring while avoiding the complexity and performance headaches.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.