Regulatory policy

How US National Security Policy Affects Your Company’s Data Policies | Procopio, Cory, Hargreaves & Savitch LLP

Even a layman understands that the US government regulates the export of military equipment. Defense contractors involved in such international transactions adhere to the International Traffic in Arms Regulations, or ITAR (See 22 CFR Parts 120-130), which governs the manufacture, temporary export and import of defense articles, the provision of defense services, and brokering activities involving items on the United States Munitions List. However, the ITAR story does not begin and end with the export of controlled physical items out of the United States. Data control is also an essential part of the regulations.

For defense contractors, meeting ITAR requirements is a top concern that must be addressed in any regulatory compliance program implemented by the contractor. Trade fines, personal civil and criminal penalties, and the loss of export licenses can damage and disrupt a small business to such an extent that recovery may well be unlikely.

For the “C-suite” of any business, understanding that the export of physical products such as body armor, firearms components, or certain chemicals can trigger ITAR licensing and registration requirements is relatively simple. The classification of “technical data” controlled under ITAR presents a particular challenge for the management of any company because it is both more abstract and more difficult to identify and manage than equipment or material.

“Data” in common parlance is an inherently broad term. Merriam-Webster defines data as “information in digital form that can be transmitted or processed.” We are undoubtedly surrounded and consumed by data in the modern era; data is everywhere.

Part of the challenge in managing the flow of so much data is maintaining data privacy. One need only consult the California Consumer Privacy Act or the European Union’s General Data Protection Regulation to confirm that data protection and privacy controls are of utmost concern to regulators, legislators, lawyers and the business community at large. Maintaining privacy means controlling data sharing and properly protecting data.

For ITAR purposes, maintaining strict privacy controls and protection around a very specific type of data is not only important in terms of general privacy and compliance, but is also essential for protecting the interests of national security. At the heart of the regulations is the objective of protecting technical data related to military articles and services. According to the ITAR, technical data includes information “necessary for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of plans, drawings, photographs, blueprints, instructions and documentation. (See 22 CFR Part 120.10)

Unauthorized disclosure of Technical Data, inadvertently or otherwise, orally or visually, or unauthorized transfer of Technical Data, to any outside person whether in the United States or abroad, can trigger an ITAR violation as a “deemed export”. It doesn’t matter whether the data is shared here with us or outside of the United States; if the person with whom this type of data is shared is not a US Person (See 22 CFR Part 120.16) and no license has been acquired to cover the information shared, an ITAR violation can be triggered as a “deemed export” and penalties can be swift and severe.

Knowing that the “deemed export” control under ITAR means there is no automatic security in a purely domestic sharing of technical data is certainly no comfort to those who might deal with this kind of data. Indeed, not only do defence-related businesses need to consider the ramifications of alleged exports, but likewise universities, tech companies, and even law firms should all be aware of the control of industry-related data. of the defense. All it takes is a viewing of PowerPoint slides, a careless statement, the inability to maintain encryption protocols on laptops, or another occasional oversight in the home office to trigger a breach. Nobody wants that to happen, do they?

Now maybe you’re thinking, Holy cow!! I was unaware of what constitutes a deemed export and Gunnar Gustafson was in my office yesterday when I showed him the specs for this very cool UAV project we have with the Navy funded by a research loan for the small business innovation… what should I do?

If you or someone in your organization suspects that there has been an alleged export of technical data under ITAR control and in so doing a breach has occurred, a voluntary self-disclosure (VSD) of the incident must be made to the US State Department. Defense Trade Control Directorate (DDTC). Such disclosure can go a long way toward reducing penalties and fines, as DDTC will consider disclosure as one of the mitigating factors in assessing the application of applicable administrative penalties.

The VSD process can and should be conducted with the assistance of a competent and knowledgeable attorney. To learn more about what this process entails and how it should be approached, tune in next month for my follow-up on this important piece of the compliance puzzle.

The purpose of ITAR is to protect the national security interests of the United States. While it’s easy to think of national security in the larger international context, it may not be so “natural” to think of the pitfalls that are present right here at home.

To quote one of the greatest basketball coaches of all time, Mike Krzyzewski, now retired, “Champions play the way they train. Create a consistency of excellence in all your habits. Defense contractors must create this consistency of excellence across all of their operations, both at home and abroad, to protect not just the technical data they may be working with, but all of their processes and procedures. It is critical for businesses to keep pace with requirements and avoid falling behind ITAR and other regulatory and compliance frameworks. The international market for those working in the field of defense is difficult and complex. With the right approach, entrepreneurs can successfully engage in business while promoting and protecting US security interests, no matter where they do business.