Presenting a live 90-minute webinar with interactive Q&A Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws TUESDAY, MAY 10, 2016 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Thaddeus R. McBride, Partner, Bass Berry & Sims , Washington, D.C. Christine M. Minarich, Global Trade Compliance Counsel, Raytheon , Dulles, Va. Cheryl A. Palmeri, Esq., Bass Berry & Sims , Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-570-7602 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 35.
Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to “Conference Materials” in the middle of the left - • hand column on your screen. • Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program. • Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon. •
Export Controls & Cloud Computing Complying with the ITAR and EAR Strafford Publications May 10, 2016
Who We Are Christine Minarich – Global Trade Compliance Counsel Intelligence, Information & Services, Raytheon Company Thad McBride – Partner, Bass Berry & Sims Cheryl Palmeri – Associate, Bass Berry & Sims 6
Agenda Introduction Background Current Legal Landscape Compliance Questions / Discussion 7
Export Controls 8
Defense Exports International Traffic in Arms Regulations (ITAR) Department of State, Directorate of Defense Trade Controls (DDTC) 9
Defense Exports (cont’d) Defense articles – provide a critical military or intelligence advantage Technical data Defense services 10
“Dual Use” Export Controls Commercial items and technology Export Administration Regulations (EAR) U.S. Department of Commerce, Bureau of Industry and Security (BIS) 11
Export Controls – Key Points Law follows U.S.-origin items “Deemed exports” – technical data / technology Licensing Not required for most dual use exports Required for almost all defense exports ITAR embargoes / tighter controls for certain countries 12
Economic Sanctions 13
Sanctions Restrict transactions ( e.g. , provision of services) U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) 14
Sanctions (cont’d) Country-based Comprehensive ( e.g. , Iran , North Korea, Sudan) Selective ( e.g. , Burma, Russia / Ukraine) Own Category ( Cuba ) Specially Designated Nationals (SDNs) Individuals ( e.g., terrorists, drug kingpins) Groups ( e.g. , proliferators, terrorist organizations) 15
Cloud-Based Applications 16
What is Cloud Computing? On-demand network access to a shared pool of configurable computing resources 17
Four Basic Types Public : Provided by service provider to general public Community : Shared by groups from specific community Private : Provided for single organization, and hosted / managed internally or externally Hybrid : Combined deployment of one or more types 18
Examples Email containing U.S.-origin technical data routed through server in China Access by a foreign national cloud administrator to U.S. military code stored on defense contractor’s system Iranian employee of non-U.S. company accesses data hosted by U.S. cloud service provider 19
Regulatory Guidance 20
BIS Advisory Opinions January 13, 2009 / January 11, 2011 Provision of cloud computing services not subject to the EAR Cloud service provider is not exporter November 24, 2014 Cloud-based storefronts – no export of software 21
DTAG White Paper Cloud service users have limited visibility and control over how the information is handled Special arrangements with cloud service providers can be expensive and may not meet all of the user’s requirements Recommendations Unclassified / encrypted data – no export Amend definitions of “export” and “technical data” accordingly 22
Proposed Rules In June 2015, DDTC and BIS proposed to redefine “export” to specifically exclude information that is: (i) unclassified, (ii) secured using acceptable end-to-end encryption, and (iii) not stored in certain problematic countries 23
Proposed Rules (cont’d) Still an export Providing a foreign national the means to access encrypted data Actual access by a foreign national – even if unintended 24
Proposed Rules (cont’d) Theoretical access qualifies as an export Require end-to-end encryption Restrict where data can be stored Only originator and recipient can have means to access encrypted data 25
Differences in Proposed Rules ITAR EAR Any release of encryption keys / codes Requires knowledge / reason to that would allow access is an export know that the release will cause / permit transfer Encryption must be compliant with Allows “other similarly effective FIPS 140-2 and supplemented by U.S. cryptographic means” NIST procedures / controls Technical data cannot be stored in a § Technology cannot be stored in a 126.1 country or Russia country listed in Country Group D:5 26
Illustrative Comments Export should only occur when an actual transfer takes place, not when theoretically possible Remove 126.1 / D:5 storage restriction or provide safe harbor for contract term Revise “end -to- end encryption” requirement (e.g., accept tokenization ) Accept “other similarly effective cryptographic means ” 27
Comments (cont'd) Use EAR knowledge standard Allow that means to access encrypted data can be given to a third-party that is a U.S. person Do “originator” and “recipient” refer to individuals or companies (i.e., Are individual certificate keys required)? 28
Hypothetical Under the proposed revised rules, could a U.S. person employee of a U.S. defense contractor access controlled technical data while traveling in India? Under what circumstances? What compliance steps would be required? 29
Compliance 30
Compliance Steps “Traditional” Measures: Clear classification of data in cloud zones Incorporate cloud into policies and awareness efforts Ensure cloud agreements address export risks Server locations U.S. person administrators Ensure licenses, other authorizations in place as needed 31
Compliance (cont’d) “Non - traditional” measures: Continually review evolving legal and regulatory requirements Ensure ongoing monitoring of security technology threats and incidents – adapt accordingly Understand whether cyber security risks, incidents, and reporting have export control implications 32
Thank You! Christine Minarich (571) 250-2156 christine.m.minarich@raytheon.com Thad McBride (202) 827-2959 tmcbride@bassberry.com Cheryl Palmeri (202) 827-2967 cpalmeri@bassberry.com 33
Recommend
More recommend
