At the Update Conference recently hosted by the Bureau of Industry and Security (“BIS”), the Office of Export Enforcement introduced a newly established Cyber Division to manage the increasing number of disclosures it is receiving related to cyber incidents. This announcement signals increased regulatory scrutiny in cyber incidents and underscores the need for companies to update their cyber governance programs and incident response plans to analyze whether impacted data is subject to US export controls and may trigger disclosure or reporting obligations to US government agencies. These export control considerations build on the sanctions risks that the US Treasury Department’s Office of Foreign Assets Control has highlighted in the ransomware context, as we have previously blogged about here, here, and here.
Background on US Export Controls & Who Must Comply
There are two key US export control regimes: military and “dual-use.” Military export controls are implemented primarily under the International Traffic in Arms Regulations (“ITAR”) administered by the US State Department’s Directorate of Defense Trade Controls (“DDTC”). Dual-use controls, applicable to items that have both civilian and military applications, are implemented under the Export Administration Regulations (“EAR”) administered by BIS. Regardless of where the business is located (US and non-US entities), these regulations apply to controlled technology or technical data, software (both object and source codes), or hardware subject to ITAR or EAR jurisdiction.
Under both sets of regulations, companies must ensure that exports, reexports, transfers, and “releases” outside the United States of controlled technology, technical data, software, or hardware comply with the ITAR or EAR, as applicable. US export controls also apply to the release of controlled technology/technical data or software source code to foreign nationals in the United States or third-country nationals outside the United States.
Identifying Data & Assets Subject to Export Controls
For purposes of identifying data potentially in scope, the concept of technology or technical data is broad. Examples may include proprietary information contained in blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, production processes, manuals or documentation, and electronic media. That said, not all US technology/technical data or software source code is controlled under US export controls. Accordingly, many companies conduct a data mapping exercise to identify data potentially in scope and determine what level of US export controls may apply to the technology/technical data or software they develop and/or use. Broadly speaking, controlled technology for EAR purposes typically is proprietary information that is required for the development or production of a controlled item. The ITAR captures broad categories of technical data related to defense articles.
Cyber Incident Response & Data Exfiltration
When cyber incidents involve potential access to or exfiltration by an unauthorized actor of controlled technology/technical data or software (collectively “Controlled Technology”), companies must determine whether there are contractual or statutory reporting obligations. An incident response plan or playbook should include a checklist to determine whether the incident should be reported to DDTC and/or BIS. This is particularly important if there are concerns that Controlled Technology may end up in a prohibited destination or with a prohibited party (e.g., one on the Entity List, Denied Persons List, or Specially Designated Nationals and Blocked Persons List, among others). The ITAR mandate a disclosure of violations involving countries subject to US arms embargoes (which include Belarus, China, ad Russia). Accordingly, a company concerned that Controlled Technology under the ITAR has ended up in one of those embargoed countries would likely have a mandatory reporting obligation to DDTC.
Voluntary Disclosure Considerations
Even if the incident does not impose mandatory reporting obligations, voluntary disclosure may be warranted. A careful consideration of risks and benefits of a voluntary disclosure, based on specific facts and circumstances, should inform a determination on whether to make a voluntary disclosure to DDTC or BIS. For example, given that these agencies may learn on their own about a company’s Controlled Technology ending up in a prohibited destination or with a prohibited party, a voluntary disclosure could mitigate the risk of future investigation. DDTC and BIS have significant discretion to impose civil penalties for violations of the regulations they administer, and such penalties can add up quickly, particularly if they involve aggravating factors.
Proactive Cyber Risk Mitigation for Data Subject to US Export Controls
To proactively reduce risks found at the intersection of US export controls and cybersecurity, companies can take the following steps:
- Identify Controlled Technology under the ITAR or EAR whether developed internally or procured from third parties;
- Implement appropriate technology control plans and security controls for Controlled Technology so that their use, exports, reexports, transfers, or releases comply with the ITAR and/or EAR;
- Ensure incident response plans and playbooks include a checklist and clear steps on what to do if Controlled Technology may be impacted by a cyber incident, including reporting obligations to DDTC and/or BIS; and
- Test your plans and playbooks with key stakeholders in a tabletop exercise to make sure the organization has practiced an incident that may involve Controlled Technology and reporting to DDTC and/or BIS.
The cybersecurity and trade compliance teams at Baker McKenzie stand ready to help companies work through these issues and implement practical measures to mitigate risks.