Companies evaluating cloud computing must consider the regulatory compliance implications of this new approach to computing. One area of concern is whether any of your company’s data is controlled under U.S. export control rules, including whether use of cloud services could lead to the disclosure of controlled technical data without the required export authorization.
It is important to consider export control implications of IT decisions early in the process because U.S. export control rules have a strict liability standard, meaning that a violation occurs whether the unauthorized disclosure was accidental, negligent, or intentional. Individuals, as well as companies, may be held responsible for export violations. The penalties for non-compliance are severe, ranging from $250,000 to $1,000,000 per violation. Individuals could face up to 20 years imprisonment.
Recently, some cloud service providers have been marketing their services as export control compliant. Knowing the basic U.S. export control rules governing technical data should help companies decide whether cloud computing services being offered to them meet their export compliance needs for all their systems and applications.
IT departments must determine whether export-controlled data may be contained on their systems and work with their legal department to formulate a plan for handling such data inside or outside of the cloud. For the purposes of this discussion, controlled technical data is data controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Typically, this information is in the form of blueprints, drawings, models, formulae, specifications, photographs, plans, instructions, or documentation regarding an export-controlled item or service.
U.S. companies are prohibited from exporting controlled technical data to certain foreign countries without an export license. For example, sending an e-mail with export-controlled technical data to a customer in India would be an export of the data to India and could require export authorization.
The rules also restrict the release of export-controlled technical data to certain foreign nationals, inside or outside the U.S., without an export authorization. (To do so would be considered an export to that person’s country of citizenship.) Companies are often surprised by this rule. For example, if an American engineer in the U.S. walks blue prints for the manufacture of an export-controlled item down the hall to his colleague who happens to be an Indian citizen, or e-mails them to him, this would be considered an export to India and could require export authorization.
Companies in the defense industry should also be aware that, under ITAR, merely giving foreign nationals access to defense technical data, whether or not the foreign national actually views it, is considered an export that requires authorization.