Cloud // Software as a Service
Commentary
11/18/2010
03:10 PM
Commentary
Commentary
Commentary
50%
50%

Managing Export-Controlled Data In The Cloud

As IT pros evaluate cloud computing services, they must be aware of federal regulations that restrict where certain data gets stored, or potentially face serious penalties.

Companies evaluating cloud computing must consider the regulatory compliance implications of this new approach to computing. One area of concern is whether any of your company’s data is controlled under U.S. export control rules, including whether use of cloud services could lead to the disclosure of controlled technical data without the required export authorization.

It is important to consider export control implications of IT decisions early in the process because U.S. export control rules have a strict liability standard, meaning that a violation occurs whether the unauthorized disclosure was accidental, negligent, or intentional. Individuals, as well as companies, may be held responsible for export violations. The penalties for non-compliance are severe, ranging from $250,000 to $1,000,000 per violation. Individuals could face up to 20 years imprisonment.

The most popular cloud computing option is public cloud computing. A common example is Web-based e-mail like Google’s Gmail. In the public cloud scenario, the customer generally has no control or knowledge over the exact location of the provided resources. Usually the customer is presented with a standard service level agreement with limited or no ability to tailor the terms of use. Without the ability to tailor the service parameters to a company’s business, it is likely that public cloud solutions will not meet export compliance standards, if such needs exist.

Recently, some cloud service providers have been marketing their services as export control compliant. Knowing the basic U.S. export control rules governing technical data should help companies decide whether cloud computing services being offered to them meet their export compliance needs for all their systems and applications.

IT departments must determine whether export-controlled data may be contained on their systems and work with their legal department to formulate a plan for handling such data inside or outside of the cloud. For the purposes of this discussion, controlled technical data is data controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Typically, this information is in the form of blueprints, drawings, models, formulae, specifications, photographs, plans, instructions, or documentation regarding an export-controlled item or service.

U.S. companies are prohibited from exporting controlled technical data to certain foreign countries without an export license. For example, sending an e-mail with export-controlled technical data to a customer in India would be an export of the data to India and could require export authorization.

The rules also restrict the release of export-controlled technical data to certain foreign nationals, inside or outside the U.S., without an export authorization. (To do so would be considered an export to that person’s country of citizenship.) Companies are often surprised by this rule. For example, if an American engineer in the U.S. walks blue prints for the manufacture of an export-controlled item down the hall to his colleague who happens to be an Indian citizen, or e-mails them to him, this would be considered an export to India and could require export authorization.

Companies in the defense industry should also be aware that, under ITAR, merely giving foreign nationals access to defense technical data, whether or not the foreign national actually views it, is considered an export that requires authorization.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.