Export Controls and Cloud Computing: Legal Risks Complying with - - PowerPoint PPT Presentation

Export Controls and Cloud Computing: Legal Risks

Complying with ITAR, EAR and Sanctions Laws When Using Cloud Storage and Services

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, APRIL 2, 2013

Presenting a live 90-minute webinar with interactive Q&A

Thaddeus R. McBride, Partner, Sheppard Mullin Richter & Hampton, Washington, D.C. Marynell DeVaughn, Vice President & Associate General Counsel, Alliant Techsystems, Arlington, Va. Scott W. Jackson, Director, International Trade Compliance, Pratt & Whitney, East Hartford, Conn.

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-320-7825 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the word balloon button to send

FOR LIVE EVENT ONLY

Export Controls and Cloud Computing: Legal Risks

Strafford Publications Webinar April 2, 2013

Marynell DeVaughn Thad McBride Scott Jackson

Agenda

• Importance of compliance
• What is cloud computing
• Relevant regulatory regimes
• Risk mitigation
• Questions / discussion

5 5

Importance of Compliance

6

Importance of Compliance

• Broad jurisdiction
• Significant penalties
• Vigorous enforcement

7 7

Broad Jurisdiction

• U.S. law covers exports of U.S.-origin

products and parts, wherever located

• Action anywhere in the world that causes a

violation of U.S. sanctions is itself a violation

8 8

Penalties

• Civil and criminal fines
• Imprisonment
• Denial of export privileges

9 9

Vigorous Enforcement

• The Departments of Commerce, Justice,

State, and Treasury are actively pursuing violators of U.S. trade controls laws

• In addition to penalties, there may be:
• seizure and forfeiture of goods
• prohibition of export of goods to a violator
• possible reputational damage

10 10

What is Cloud Computing?

11

Cloud Computing Definition

Investopedia explains … Cloud computing is so named because the information being accessed is found in the "clouds", and does not require a user to be in a specific place to gain access to it. Companies may find that cloud computing allows them to reduce the cost of information management, since they are not required to own their own servers and can use capacity leased from third parties. Additionally, the cloud-like structure allows companies to upgrade software more quickly.

12

The Cloud defined . . . Simple

13 Image courtesy of webretina.com

The “cloud” in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service. Cloud services include the delivery

• f software, infrastructure, and

storage over the Internet (either as separate components or a complete platform) based on user demand.

Source: Cloud Computing For Dummies

The Cloud defined . . . Simpler

14 http://www.youtube.com/watch?v=W4FlVgb64WY&feature=relmfu

The Cloud defined . . . Best

15

Cloud Computing is the ability to use the power of

• ther computers (located

somewhere else) and their software, via the Internet (or sometimes other networks), without the need to own

• them. They are being

provided to you, as a service.

Source: http://gnoted.com/what-is-cloud-computing-simple-terms/

@Tokyo Data Center

Basic facts:

• Located in Koto-Ku,

Tokyo

• One of world’s largest
• 1.4 million sq. ft.
• Virtually 100%

dedicated to server racks

16

Types of Cloud Services

• Private Cloud

▫ Cloud infrastructure operated solely for a single organization ▫ May be managed internally or by a third-party and hosted internally or externally

• Public Cloud

▫ Available to general public for free or on a pay-per-use model ▫ Access usually only via Internet

• Hybrid Cloud

▫ Composition of two or more clouds that remain unique entities but are bound together ▫ Benefit of multiple deployment models

Source: Wikipedia

17

Relevant Laws

18

Dual Use Exports

19 19

• Items designed for commercial purposes
• Licensing requirement is based on the item, destination, end-

user, and end-use

• Relevant law: Export Administration Regulations (EAR)
• Regulator: U.S. Department of Commerce, Bureau of Industry

and Security (BIS)

• Jurisdiction follows the item: Entities and individuals outside

the U.S. may be liable for re-exports

Defense Export Controls

• Controls on items and technology specifically designed
• r modified for a military purpose
• License or other specific authorization required for

virtually all exports of defense articles, technical data, and services

• Relevant law: International Traffic in Arms Regulations

(ITAR)

• Regulator: U.S. Department of State, Directorate of

Defense Trade Controls (DDTC)

20 20

ITAR/EAR: Definition of “Export”

21

ITAR

Sending or taking a defense article [i.e., any item or technical data] out of the U.S. in any manner Disclosing or transferring technical data to a foreign person, in the U.S. or abroad Performing a defense service on behalf of, or for the benefit of, a foreign person, in the U.S. or in a foreign country

EAR

Actual shipment or transmission of items [i.e., commodities, software, or technology] out of the U.S. Release of technology or software to a foreign national in the U.S. or in a foreign country Furnishing technical assistance/service to a foreign national in the United States or in a foreign country

ITAR/EAR: Technical Information and Services

22

ITAR

Technical data - information … required for the design, development, manufacture … testing … or modification of a defense article Defense service - furnishing assistance (including training) to foreign persons…in the design, development, etc. of a defense article; furnishing technical data to foreign persons

EAR

Technology - Specific information necessary for the development, production, or use of a product. The information takes form of technical data or technical assistance Technical data - e.g., blueprints, plans, diagrams, engineering designs Technical assistance - e.g., skills training, instruction, working knowledge, consulting services ... may involve transfer of technical data

Economic Sanctions

• Relevant Law: approximately 25 different U.S.

sanctions regulations

• Regulator: U.S. Treasury Department, Office of

Foreign Assets Control (OFAC)

23 23

Sanctions (cont.)

Jurisdiction over all U.S. persons

• All U.S. citizens and residents, wherever located
• All U.S.-organized, incorporated companies or

entities

• All persons in the United States, regardless of

nationality

• In case of Cuba and Iran, non-U.S. entities owned /

controlled by a U.S. person also are subject to U.S. jurisdiction

24 24

Sanctions (cont.)

Facilitation / Export of Services

• U.S. person cannot facilitate or otherwise

support activity that would be prohibited if performed by U.S. person

• Providing a service anywhere may be prohibited if

benefit of service is received by sanctioned party

25 25

Sanctions (cont.)

IMPORTANT POINT: There can be liability for any person, regardless of nationality, who causes a violation

26 26

Regulatory Language on Cloud Computing

• No definition of cloud computing in the relevant

regulations -- Commerce-EAR, State-ITAR, or Treasury-OFAC regulations

• Only Commerce Department (BIS) has provided official

written advice through two Advisory Opinions

• January 2009
• January 2011

27

BIS Advisory Opinion 1 – Jan 13, 2009

• Requested clarification regarding application of the EAR to grid and cloud

computing services.

• BIS Response:

▫ Providing computational capacity services is NOT an export and therefore NOT subject to the EAR. ▫ Shipping or transmitting software that is subject to the EAR to a foreign destination or to a foreign person IS an export subject to the EAR. ▫ Shipping or transmitting technology that is subject to the EAR to a foreign destination or to a foreign person (technical manuals, instructions, etc.) needed to use the computational service is an export subject to the EAR. ▫ Exporting controlled software or technology to and from the cloud is subject to the EAR. ▫ Because the service provider does not receive “primary benefit from the transaction”, NOT considered the exporter. ▫ The cloud USER is generally NOT the exporter because not located in the U.S. 28

BIS Advisory Opinion 2 – Jan 11, 2011

• Requested confirmation that the EAR does not require cloud computing

service providers to obtain deemed export licenses for foreign national IT admins who service and maintain the cloud computing system.

• Key facts:

▫ Service provider does not monitor or screen user-generated content stored or shared in the cloud (with exceptions). ▫ Certain data stored may constitute technology.

• BIS Response:

▫ Per AO 1, service provider engaged in monitoring or screening activity is not an exporter = No deemed export. ▫ However . . . Only addresses facts outlined in the service provider’s letter wherein the monitoring activities are described. Conclusion does NOT apply to “release” of technology subject to the EAR. “Release” may constitute a “deemed export” requiring license.

29

Advisory Opinions (cont.)

• BIS Advisory Opinions not binding on State-DDTC
• r Treasury-OFAC
• In absence of specific regulations and/or official

interpretations issued by the agencies, exporters/users need to:

• establish guidelines and measures derived from the

regulatory framework

• apply internal processes consistently
• keep good records of steps taken

30

Risk Mitigation

31

Examples of Risk Mitigation

• In service provider contracts, obtain specific representations

and warranties relating to compliance with the ITAR and other applicable export control laws and regulations, and include indemnification clauses and certifications of compliance

• Confine cloud storage to the US and service only by US Persons
• Restrict foreign national/person access unless there is an

ITAR/EAR authorization in place

• Beware of access to data by sanctioned persons; don’t

provide services to sanctioned parties

32

Risk Mitigation (cont.)

Conduct awareness training on the export control implications vis-à-vis cloud computing for functions that may use the cloud for data storage and transmission

• Marketing and sales departments
• Program managers
• Engineering

33

Risk Mitigation (cont.)

• Collaborate with and educate IT and IT Security on export

control “rules of the road”

• Where is the technical data being moved and stored?
• Who has access to the technical data?
• What is nationality of customer (user)? Query:

implications of foreign jurisdiction blocking and privacy laws?

• Understand non-conventional risks such as cybercrime,

trade secret theft

• Encryption of data does not eliminate risk (may mitigate)

34

Risk Mitigation (cont.)

• Consider Technology Control Plan (TCP)
• Outlines the procedures used to prevent unauthorized

export of and/or access to controlled technology or data

• Can be required by the ITAR and/or EAR
• Develop technology and product classification matrix
• Item description and marking
• Assists in data segregation

35

Discussion

36

Discussion

• Encrypted U.S. origin email containing ITAR-

controlled data is routed through a server in Calcutta

• What are the risks? Is an ITAR license required?

37

Discussion (cont.)

• Access by a foreign national cloud administrator

to military code located in a U.S. user’s cloud zone

• What steps can a U.S. user take initially to protect

against this?

38

Discussion (cont.)

• Has an export occurred if:
• ITAR/EAR controlled technical data is sent overseas?
• ITAR/EAR technical data is stored on servers located
• verseas?
• Foreign nationals/persons have access or are given

access privileges to ITAR/EAR technical data in the US

• r outside the US?

39

Discussion (cont.)

• Post-close, discovered site operating under a Continuing Services

Agreement (CSA), whereby Seller provides network and application (e.g., SAP) support via a private “cloud”

• Seller located in 3rd country

40

• Acquired 2012
• Manufacturer of aircraft parts

classified as EAR99 or 9E991

• Purchased specifically to

manufacture parts for both ITAR and EAR-controlled applications

Reminder: Compliance Risks

Whether public, private or hybrid, there are risks:

• Location . . . If outside US = Export

▫ Encryption and physical access controls not sufficient ▫ Don’t forget location of disaster recovery sites

• Access . . . If non-US admin = Export

▫ Service agreement must include description of required access controls

• Limit to items not subject to the EAR or EAR99

Don’t outsource regulatory compliance to your service

• provider. Vital to extend existing IT security standards

to the Cloud and audit!

41

Thank you!

Marynell Devaughn Vice President, Associate General Counsel Alliant Techsystems, Inc. Tel: +1 703 412-3234 Marynell.devaughn@atk.com Scott Jackson Director, International Trade Compliance Operations & Engineering Pratt & Whitney Tel: +1 860 557-2841 Scott.Jackson@pw.utc.com Thad McBride Partner Sheppard Mullin Richter & Hampton Tel: +1 202 469-4976 tmcbride@sheppardmullin.com

42