At the Update Conference recently hosted by the Bureau of Industry and Security (“BIS”), the Office of Export Enforcement introduced a newly established Cyber Division to manage the increasing number of disclosures it is receiving related to cyber incidents. This announcement signals increased regulatory scrutiny in cyber incidents and underscores the need for companies to update their cyber governance programs and incident response plans to analyze whether impacted data is subject to US export controls and may trigger disclosure or reporting obligations to US government agencies. These export control considerations build on the sanctions risks that the US Treasury Department’s Office of Foreign Assets Control has highlighted in the ransomware context, as we have previously blogged about here, here, and here.

Background on US Export Controls & Who Must Comply

There are two key US export control regimes: military and “dual-use.”  Military export controls are implemented primarily under the International Traffic in Arms Regulations (“ITAR”) administered by the US State Department’s Directorate of Defense Trade Controls (“DDTC”).  Dual-use controls, applicable to items that have both civilian and military applications, are implemented under the Export Administration Regulations (“EAR”) administered by BIS. Regardless of where the business is located (US and non-US entities), these regulations apply to controlled technology or technical data, software (both object and source codes), or hardware subject to ITAR or EAR jurisdiction.

Under both sets of regulations, companies must ensure that exports, reexports, transfers, and “releases” outside the United States of controlled technology, technical data, software, or hardware comply with the ITAR or EAR, as applicable.  US export controls also apply to the release of controlled technology/technical data or software source code to foreign nationals in the United States or third-country nationals outside the United States.

Identifying Data & Assets Subject to Export Controls 

For purposes of identifying data potentially in scope, the concept of technology or technical data is broad.  Examples may include proprietary information contained in blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, production processes, manuals or documentation, and electronic media.  That said, not all US technology/technical data or software source code is controlled under US export controls.  Accordingly, many companies conduct a data mapping exercise to identify data potentially in scope and determine what level of US export controls may apply to the technology/technical data or software they develop and/or use.  Broadly speaking, controlled technology for EAR purposes typically is proprietary information that is required for the development or production of a controlled item.  The ITAR captures broad categories of technical data related to defense articles.

Cyber Incident Response & Data Exfiltration

When cyber incidents involve potential access to or exfiltration by an unauthorized actor of controlled technology/technical data or software (collectively “Controlled Technology”), companies must determine whether there are contractual or statutory reporting obligations.  An incident response plan or playbook should include a checklist to determine whether the incident should be reported to DDTC and/or BIS.  This is particularly important if there are concerns that Controlled Technology may end up in a prohibited destination or with a prohibited party (e.g., one on the Entity List, Denied Persons List, or Specially Designated Nationals and Blocked Persons List, among others).  The ITAR mandate a disclosure of violations involving countries subject to US arms embargoes (which include Belarus, China, ad Russia).  Accordingly, a company concerned that Controlled Technology under the ITAR has ended up in one of those embargoed countries would likely have a mandatory reporting obligation to DDTC. 

Voluntary Disclosure Considerations

Even if the incident does not impose mandatory reporting obligations, voluntary disclosure may be warranted.  A careful consideration of risks and benefits of a voluntary disclosure, based on specific facts and circumstances, should inform a determination on whether to make a voluntary disclosure to DDTC or BIS. For example, given that these agencies may learn on their own about a company’s Controlled Technology ending up in a prohibited destination or with a prohibited party, a voluntary disclosure could mitigate the risk of future investigation.  DDTC and BIS have significant discretion to impose civil penalties for violations of the regulations they administer, and such penalties can add up quickly, particularly if they involve aggravating factors.

Proactive Cyber Risk Mitigation for Data Subject to US Export Controls

To proactively reduce risks found at the intersection of US export controls and cybersecurity, companies can take the following steps:

  • Identify Controlled Technology under the ITAR or EAR whether developed internally or procured from third parties;
  • Implement appropriate technology control plans and security controls for Controlled Technology so that their use, exports, reexports, transfers, or releases comply with the ITAR and/or EAR;
  • Ensure incident response plans and playbooks include a checklist and clear steps on what to do if Controlled Technology may be impacted by a cyber incident, including reporting obligations to DDTC and/or BIS; and
  • Test your plans and playbooks with key stakeholders in a tabletop exercise to make sure the organization has practiced an incident that may involve Controlled Technology and reporting to DDTC and/or BIS.

The cybersecurity and trade compliance teams at Baker McKenzie stand ready to help companies work through these issues and implement practical measures to mitigate risks.


Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.


Sylwia has extensive experience advising companies on US laws relating to exports and reexports of commercial goods and technology, defense trade controls and trade sanctions — including licensing, regulatory interpretations, compliance programs and enforcement matters. She also has advised clients on national security reviews of foreign investment administered by the Committee on Foreign Investment in the United States (CFIUS), including CFIUS-related due diligence, risk assessment, and representation before the CFIUS agencies.


Alexandre (Alex) Lamy joined Baker McKenzie in 2009 and currently works in the Firm's International Trade Practice Group. He assists clients with sanctions and export controls (Export Administration Regulations (EAR); International Traffic in Arms Regulations (ITAR)) and he advises clients on corporate compliance matters.