Export controls on information and technology

Jan. 1, 2020
Export controls and sanction requirements have been around for years, but are taking on increasing prominence. It is good to be aware of some of the considerations that go into implementing an effective compliance program for export controls regulati

Export controls and sanction requirements have been around for years, but are taking on increasing prominence. It is good to be aware of some of the considerations that go into implementing an effective compliance program for export controls regulations and their controls on information and technology.

Elements of a well-run compliance program
In addition to controls on the export of goods, export control regulations include the concept of “deemed exports.” The release of technology or software subject to Export Administration Regulations (EAR) to a foreign person is deemed to be an export to a foreign person’s country of nationality, and thus requires the same export license as would any other export to that country. Similarly, under the International Traffic in Arms Regulations (ITAR), “export” includes disclosure or transferring technical data to a non-U.S. person, whether in the United States or abroad. The export agencies treat access to information the same as an actual release of information, even in situations where there has not been any actual contact between a foreign person and the controlled information.

Exportation of controlled information can occur either orally or visually — by any means that results in a transfer of controlled information to a non-U.S. national. The method by which the data is communicated to a non-U.S. person is irrelevant — it can be hand carried, shipped by air or sea, transmitted (or accessed) electronically, communicated by telephone or fax or by in-person viewing. Export even includes the concept of exposing a foreign person to a data-rich environment that gives clues as to controlled information, such as a research and development lab or a production facility.

At many firms, all efforts to control information are encapsulated in a technology control plan (TCP). Under the TCP, the company takes a series of steps, including physical security, escort procedures and restrictions on computer and network access using a mix of encryption, passwords, and other appropriate restrictions, to safeguard technical data associated with the manufacture of defense articles or defense services from unauthorized access by foreign national employees, or any other persons who are not either U.S. citizens or green card holders.

The typical elements of a TCP are:
• A description of the information that is controlled for access by foreign nationals;
• A description of the security measures being implemented to control access to the controlled information;
• A description of procedures for informing the foreign person of the applicable export controls requirements;
• A description of which company employees will be in charge of discharging the TCP requirements, including logging in foreign nationals, escorting them and providing an overview of the required TCP procedures;
• A description of procedures for controlling access to equipment that could be used to copy or transmit controlled information, and;
• A requirement that the foreign national sign a certificate acknowledging briefing on the requirements of U.S. export controls and the restrictions in the TCP, including a reassurance that the person will comply with applicable provisions of the TCP.

PAGE 2

Physical security also is a necessary part of any TCP. The key procedures that are usually appropriate include the following:
• Restrictions on the unescorted access to buildings, laboratories or offices with controlled goods or information;
• Segregation of controlled work spaces and their restriction from access by foreign nationals;
• Tracking of visitors, including through the use of visitor logs, escorts of visitors and controls on the use of cell and smart phones, cameras, radio transmitters, fax machines, email, laptops, personal digital assistants, flash drives and electronic and mechanical recording and storage devices within the company by foreign nationals;
• Mandatory badging procedures, including requirements that badges contain the person’s name, the areas where the person is allowed to visit, whether an escort is needed and the badge’s expiration time. Many companies color code badges to allow ready identification of visitors and their status by all company personnel.
• Procedures for screening and preventing access by service providers, such as delivery, maintenance and repair personnel, computer technicians and cleaning crews and any other service providers who may have access to shipping and receiving areas or be close by areas with controlled information, and;
• End-of-day procedures, including the lockdown of computer networks, the placement of controlled items in locked cabinets and drawers and securing of the entire controlled environment.

Given the importance of restrictions on technical data and controlled information, the TCP necessarily must focus on restrictions or accessing the computer networks and databases that contain restricted information. Typical information technology restrictions include:
• Network security provisions, including password protection, segregated access to export-controlled information and blockages on downloading content;
• Provisions of clean access points for visitors that are incapable of allowing access to export-controlled information;
• Restrictions on outside access to the network, including firewalls, strong passwords and user-authentication protocols, regular changes to log-in information and secure data transmission practices;
• Procedures to ensure the secure storage of backup information, in a fashion that is not accessible to foreign nationals, and;
• Strict prohibition of controlled data on portable devices, in favor of virtual access through secure virtual entry points. Where such information absolutely must be placed on a portable device, the TCP should prohibit doing so unless it is first encrypted.

About the Author

Gregory Husisian

Husisian is Of Counsel with Foley & Lardner LLP, which has a dedicated team covering the areas of U.S Regulation of Exports and International Conduct and a comprehensive Automotive Industry Team with offices in Washington D.C., Detroit, Tokyo, Europe and Shanghai. For export controls, economic sanctions, FCPA and other international questions, contact Husisian at [email protected]. For M&A, labor and employee benefits, restructuring, supply chain contracting, IP, corporate securities and finance and commercial litigation, please contact Detroit Partners Mark A. Aiello at [email protected] or Thomas B. Spillane at [email protected].

Sponsored Recommendations

Best Body Shop and the 360-Degree-Concept

Spanesi ‘360-Degree-Concept’ Enables Kansas Body Shop to Complete High-Quality Repairs

ADAS Applications: What They Are & What They Do

Learn how ADAS utilizes sensors such as radar, sonar, lidar and cameras to perceive the world around the vehicle, and either provide critical information to the driver or take...

Banking on Bigger Profits with a Heavy-Duty Truck Paint Booth

The addition of a heavy-duty paint booth for oversized trucks & vehicles can open the door to new or expanded service opportunities.

Boosting Your Shop's Bottom Line with an Extended Height Paint Booths

Discover how the investment in an extended-height paint booth is a game-changer for most collision shops with this Free Guide.