Export controls and sanction requirements have been around for years, but are taking on increasing prominence. It is good to be aware of some of the considerations that go into implementing an effective compliance program for export controls regulations and their controls on information and technology.
Elements of a well-run compliance program
In addition to controls on the export of goods, export control regulations include the concept of “deemed exports.” The release of technology or software subject to Export Administration Regulations (EAR) to a foreign person is deemed to be an export to a foreign person’s country of nationality, and thus requires the same export license as would any other export to that country. Similarly, under the International Traffic in Arms Regulations (ITAR), “export” includes disclosure or transferring technical data to a non-U.S. person, whether in the United States or abroad. The export agencies treat access to information the same as an actual release of information, even in situations where there has not been any actual contact between a foreign person and the controlled information.
Exportation of controlled information can occur either orally or visually — by any means that results in a transfer of controlled information to a non-U.S. national. The method by which the data is communicated to a non-U.S. person is irrelevant — it can be hand carried, shipped by air or sea, transmitted (or accessed) electronically, communicated by telephone or fax or by in-person viewing. Export even includes the concept of exposing a foreign person to a data-rich environment that gives clues as to controlled information, such as a research and development lab or a production facility.
At many firms, all efforts to control information are encapsulated in a technology control plan (TCP). Under the TCP, the company takes a series of steps, including physical security, escort procedures and restrictions on computer and network access using a mix of encryption, passwords, and other appropriate restrictions, to safeguard technical data associated with the manufacture of defense articles or defense services from unauthorized access by foreign national employees, or any other persons who are not either U.S. citizens or green card holders.
The typical elements of a TCP are:
• A description of the information that is controlled for access by foreign nationals;
• A description of the security measures being implemented to control access to the controlled information;
• A description of procedures for informing the foreign person of the applicable export controls requirements;
• A description of which company employees will be in charge of discharging the TCP requirements, including logging in foreign nationals, escorting them and providing an overview of the required TCP procedures;
• A description of procedures for controlling access to equipment that could be used to copy or transmit controlled information, and;
• A requirement that the foreign national sign a certificate acknowledging briefing on the requirements of U.S. export controls and the restrictions in the TCP, including a reassurance that the person will comply with applicable provisions of the TCP.
Physical security also is a necessary part of any TCP. The key procedures that are usually appropriate include the following:
• Restrictions on the unescorted access to buildings, laboratories or offices with controlled goods or information;
• Segregation of controlled work spaces and their restriction from access by foreign nationals;
• Tracking of visitors, including through the use of visitor logs, escorts of visitors and controls on the use of cell and smart phones, cameras, radio transmitters, fax machines, email, laptops, personal digital assistants, flash drives and electronic and mechanical recording and storage devices within the company by foreign nationals;
• Mandatory badging procedures, including requirements that badges contain the person’s name, the areas where the person is allowed to visit, whether an escort is needed and the badge’s expiration time. Many companies color code badges to allow ready identification of visitors and their status by all company personnel.
• Procedures for screening and preventing access by service providers, such as delivery, maintenance and repair personnel, computer technicians and cleaning crews and any other service providers who may have access to shipping and receiving areas or be close by areas with controlled information, and;
• End-of-day procedures, including the lockdown of computer networks, the placement of controlled items in locked cabinets and drawers and securing of the entire controlled environment.
Given the importance of restrictions on technical data and controlled information, the TCP necessarily must focus on restrictions or accessing the computer networks and databases that contain restricted information. Typical information technology restrictions include:
• Network security provisions, including password protection, segregated access to export-controlled information and blockages on downloading content;
• Provisions of clean access points for visitors that are incapable of allowing access to export-controlled information;
• Restrictions on outside access to the network, including firewalls, strong passwords and user-authentication protocols, regular changes to log-in information and secure data transmission practices;
• Procedures to ensure the secure storage of backup information, in a fashion that is not accessible to foreign nationals, and;
• Strict prohibition of controlled data on portable devices, in favor of virtual access through secure virtual entry points. Where such information absolutely must be placed on a portable device, the TCP should prohibit doing so unless it is first encrypted.