Managing Export-Controlled Data In The Cloud - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
03:10 PM

Managing Export-Controlled Data In The Cloud

As IT pros evaluate cloud computing services, they must be aware of federal regulations that restrict where certain data gets stored, or potentially face serious penalties.

Companies evaluating cloud computing must consider the regulatory compliance implications of this new approach to computing. One area of concern is whether any of your company’s data is controlled under U.S. export control rules, including whether use of cloud services could lead to the disclosure of controlled technical data without the required export authorization.

It is important to consider export control implications of IT decisions early in the process because U.S. export control rules have a strict liability standard, meaning that a violation occurs whether the unauthorized disclosure was accidental, negligent, or intentional. Individuals, as well as companies, may be held responsible for export violations. The penalties for non-compliance are severe, ranging from $250,000 to $1,000,000 per violation. Individuals could face up to 20 years imprisonment.

The most popular cloud computing option is public cloud computing. A common example is Web-based e-mail like Google’s Gmail. In the public cloud scenario, the customer generally has no control or knowledge over the exact location of the provided resources. Usually the customer is presented with a standard service level agreement with limited or no ability to tailor the terms of use. Without the ability to tailor the service parameters to a company’s business, it is likely that public cloud solutions will not meet export compliance standards, if such needs exist.

Recently, some cloud service providers have been marketing their services as export control compliant. Knowing the basic U.S. export control rules governing technical data should help companies decide whether cloud computing services being offered to them meet their export compliance needs for all their systems and applications.

IT departments must determine whether export-controlled data may be contained on their systems and work with their legal department to formulate a plan for handling such data inside or outside of the cloud. For the purposes of this discussion, controlled technical data is data controlled under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Typically, this information is in the form of blueprints, drawings, models, formulae, specifications, photographs, plans, instructions, or documentation regarding an export-controlled item or service.

U.S. companies are prohibited from exporting controlled technical data to certain foreign countries without an export license. For example, sending an e-mail with export-controlled technical data to a customer in India would be an export of the data to India and could require export authorization.

The rules also restrict the release of export-controlled technical data to certain foreign nationals, inside or outside the U.S., without an export authorization. (To do so would be considered an export to that person’s country of citizenship.) Companies are often surprised by this rule. For example, if an American engineer in the U.S. walks blue prints for the manufacture of an export-controlled item down the hall to his colleague who happens to be an Indian citizen, or e-mails them to him, this would be considered an export to India and could require export authorization.

Companies in the defense industry should also be aware that, under ITAR, merely giving foreign nationals access to defense technical data, whether or not the foreign national actually views it, is considered an export that requires authorization.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll