This is the eighth article in a 12-part series, U.S. Regulation of Exports and International Conduct: A Compliance Primer, from Gregory Husisian of Foley & Lardner LLP. The first six parts discussed The Pitfalls of Operating Abroad, Taking an Integrated Approach to Compliance, Basic FCPA Compliance Principles, Dealing with Third Parties under the FCPA, Dealing with Merger Issues Under the FCPA, Basic Export Controls Compliance Principles and Export Controls on Goods.

Export control and sanction requirements have been around for years, but are taking on increasing prominence. As a follow-up to Parts IV-VII of this series, this article highlights some of the considerations that go into implementing an effective compliance program for export controls regulations and their controls on information and technology.

Elements of a Well Run Compliance Program

In addition to the controls on the export of goods, the export control regulations include the concept of “deemed exports.” The release of technology or software subject to the EAR to a foreign person, is deemed to be an export to a foreign person’s country of nationality, and thus requires the same export license, as would any other export to that country. Similarly, under the ITAR, “export” includes disclosure or transferring technical data to a non-U.S. person, whether in the United States or abroad. The export agencies treat access to information as being the same as an actual release of information, even in situations where there has not been any actual contact between a foreign person and the controlled information.

Exportation of controlled information can occur either orally or visually, that is by any means that results in a transfer of controlled information to a non-U.S. national. The method by which the data is communicated to a non-U.S. person is irrelevant—it can be hand carried, shipped by air or sea, transmitted (or accessed) electronically, communicated by telephone or fax, or by in-person viewing. Export even includes the concept of exposing a foreign person to a data-rich environment that gives clues as to controlled information, such as an R&D lab or a production facility.

At many firms, all efforts to control information are encapsulated in a technology control plan, or TCP. Under the TCP, the company takes a series of steps, including physical security, escort procedures, restrictions on computer and network access (using a mix of encryption, passwords and other appropriate restrictions), to safeguard technical data associated with the manufacture of defense articles or defense services from unauthorized physical, visual and virtual access by foreign national employees, visitors, guests or any other persons who are not either U.S. citizens or green card holders.

The typical elements of a TCP are as follows:

• A description of the information that is controlled for access by foreign nationals.
• A description of the security measures being implemented to control access to the controlled information.
• A description of procedures for informing the foreign person of the applicable export controls requirements.
• A description of which company employees will be in charge of discharging the TCP requirements, including logging in foreign nationals, escorting them and providing an overview of the required TCP procedures.
• A description of procedures for controlling access to access to equipment that could be used to copy or transmit controlled information.
• A requirement that the foreign national sign a certificate acknowledging briefing on the requirements of U.S. export controls and the restrictions in the TCP, including a reassurance that the person will comply with applicable provisions of the TCP.

Physical security also is a necessary part of any TCP. The key procedures that are usually appropriate include the following:

• Restrictions on the unescorted access to buildings, laboratories or offices with controlled goods or information.
• Segregation of controlled workspaces and their restriction from access by foreign nationals.
• Tracking of visitors, including through the use of visitor logs, escorts of visitors and controls on the use of cell and smart phones, cameras, radio transmitters, fax machines, email, laptops, personal digital assistants, flash drives, and electronic and mechanical recording and storage devices within the company by foreign nationals.
• Mandatory badging procedures, including requirements that badges contain the person’s name, the areas where the person is allowed to visit, whether an escort is needed and the badge’s expiration time. Many companies color code badges to allow ready identification of visitors and their status by all company personnel.
• Procedures for screening and preventing access by service providers, such as delivery, maintenance and repair personnel, computer technicians, cleaning crews and any other service providers who may have access to shipping and receiving areas or be close by areas with controlled information.
• End-of-day procedures, including the lockdown of computer networks, the placement of controlled items in locked cabinets and drawers, and securing of the entire controlled environment.

Given the importance of restrictions on technical data and controlled information, the TCP necessarily must focus on restrictions on accessing the computer networks and databases that contain restricted information.

Typical information technology restrictions include the following:

• Network security provisions, including password protections, segregated access to export-controlled information and blockages on downloading content.
• Provision of clean access points for visitors that are incapable of allowing access to export-controlled information.
• Restrictions on outside access to the network, including firewalls, strong passwords and user-authentication protocols, regular changes to login information and secure data transmission practices.
• Procedures to ensure the secure storage of backup information in a fashion that is not accessible to foreign nationals.
• Strict prohibition of controlled data on portable devices, in favor of virtual access through secure virtual entry points. Where such information absolutely must be placed on a portable device, the TCP should prohibit doing so unless it is first encrypted.

Print PDF