How US National Security Policy Impacts Your Company’s Data Policies | Procopio, Cory, Hargreaves & Savitch LLP

Even a layperson understands that the US government regulates the export of military hardware. Defense contractors involved in such international transactions adhere to the International Traffic in Arms Regulation, or ITAR (See 22 CFR Parts 120-130), which governs the manufacture, export, and temporary import of defense articles, the furnishing of defense services, and brokering activities involving items described on the United States Munitions List. However, the ITAR story does not begin and end with the export of controlled physical items out of the United States. Data controls are also an essential part of the regulations.

For defense contractors, adherence to ITAR requirements is a top-level concern that should be addressed in any regulatory compliance program the contractor implements. Business fines, personal civil and criminal penalties, and loss of export licenses can damage and disrupt a small enterprise to a point where recovery might well be unlikely.

For any company’s “C-Suite,” understanding that the export of physical products such as body armor, firearms components, or certain chemicals may trigger ITAR license and registration requirements is relatively straightforward. The classification of controlled “technical data” under ITAR presents a special challenge for any company’s management because it is both more abstract and harder to identify and manage than a piece of equipment or hardware.

“Data” in common parlance is an inherently broad term. Merriam-Webster defines data as “information in digital form that can be transmitted or processed.” We are no doubt surrounded by and consumed with data in the modern age; data is omni present.

Part of the challenge in managing the flow of so much data is the maintenance of data privacy. One need only look at the California Consumer Privacy Act or the European Union’s General Data Protection Regulation to confirm that the protection of data and privacy controls are of extreme Concern to regulators, lawmakers, legal practitioners, and the larger business community. Maintaining privacy means controlling the sharing of data and properly protecting the data.

For purposes of the ITAR, the maintenance of privacy controls and strict protection around a very specific type of data is not only important in terms of general privacy and compliance but is also essential for the protection of national security interests. At the heart of the regulations. Under ITAR, technical data includes information “required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions and documentation. ”(See 22 CFR Part 120.10)

The unlicensed disclosure of technical data, inadvertent or otherwise, oral or visual, or the unlicensed transfer of technical data, to a foreign person whether in the United States or abroadcan trigger an ITAR violation as a “deemed export.” It does not matter if the data is shared here at home or outside of the United States; if the person with whom this type of data is shared is not a US Person (See 22 CFR Part 120.16) and there is no license acquired to cover the shared information, a violation of the ITAR may be triggered as a “deemed export” and the penalties may be swift and severe.

Knowing that “deemed export” control under ITAR means there is no automatic safety in a purely domestic sharing of technical data admittedly does little to comfort those who might deal in this type of data. Indeed, not only must defense-related companies consider the ramifications It only takes one PowerPoint slide viewing, one careless statement, the failure to maintain encryption protocols on laptops, or Some other casual oversight at the home office to trigger a violation. No one wants that to happen, do they?

Now, maybe you’re thinking, Holy cow !! I was not aware of what constitutes a deemed export and Gunnar Gustafson was in my office yesterday when I showed him the specs on that very cool UAV project we have with the Navy funded by a Small Business Innovation Research Loan… what should I do?

If you or anyone in your company suspects there has been a deemed export of technical data subject to ITAR control, and in so doing, a violation has occurred, a Voluntary Self Disclosure (VSD) of the incident should be made to the US State Department’s Directorate of Defense Trade Controls (DDTC). Such a disclosure can go a long way toward diminishing penalties and fines, as the DDTC will view the disclosure as one of the mitigating factors in assessing the application of the applicable administrative penalties.

The VSD process can and should be conducted with the assistance of competent and knowledgeable counsel. To learn more about what this process entails and how it should be approached, tune in next month for my follow-up on this important piece of the compliance puzzle.

The purpose of the ITAR is to protect the national security interests of the United States. Though it is easy to think about national security in the broader international context, it might not be as “natural” to think about the pitfalls that are present right here at home.

To quote one of the greatest basketball coaches of all time, the now-retired Mike Krzyzewski, “Champions play as they practice. Create a consistency of excellence in all your habits.” Defense contractors must create that consistency of excellence in all of their operations It is essential for companies to keep pace with requirements and avoid falling short of ITAR and other regulatory and compliance frameworks. The international marketplace. With the right approach, contractors can successfully engage in business while promoting and protecting American security interests no matter where they do business.