Export Controls and Cloud Computing: Legal Risks

Presenting a live 90-minute webinar with interactive Q&A Export Controls and Cloud Computing: Legal Risks Complying with ITAR, EAR and Sanctions Laws When Using Cloud Storage and Services TUESDAY, APRIL 2, 2013 1pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Thaddeus R. McBride, Partner, Sheppard Mullin Richter & Hampton, Washington, D.C. Marynell DeVaughn, Vice President & Associate General Counsel, Alliant Techsystems, Arlington, Va. Scott W. Jackson, Director, International Trade Compliance, Pratt & Whitney, East Hartford, Conn. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-320-7825 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the word balloon button to send

Export Controls and Cloud Computing: Legal Risks Strafford Publications Webinar April 2, 2013 Marynell DeVaughn Thad McBride Scott Jackson

5 Agenda Importance of compliance What is cloud computing Relevant regulatory regimes Risk mitigation Questions / discussion 5

Importance of Compliance 6

7 Importance of Compliance Broad jurisdiction Significant penalties Vigorous enforcement 7

8 Broad Jurisdiction U.S. law covers exports of U.S.-origin products and parts, wherever located Action anywhere in the world that causes a violation of U.S. sanctions is itself a violation 8

9 Penalties Civil and criminal fines Imprisonment Denial of export privileges 9

10 Vigorous Enforcement The Departments of Commerce, Justice, State, and Treasury are actively pursuing violators of U.S. trade controls laws In addition to penalties, there may be: seizure and forfeiture of goods prohibition of export of goods to a violator possible reputational damage 10

What is Cloud Computing? 11

12 Cloud Computing Definition Investopedia explains Cloud computing is so named because the information being accessed is found in the "clouds", and does not require a user to be in a specific place to gain access to it. Companies may find that cloud computing allows them to reduce the cost of information management, since they are not required to own their own servers and can use capacity leased from third parties. Additionally, the cloud-like structure allows companies to upgrade software more quickly.

13 The Cloud defined... Simple Image courtesy of webretina.com The cloud in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service. Cloud services include the delivery of software, infrastructure, and storage over the Internet (either as separate components or a complete platform) based on user demand. Source: Cloud Computing For Dummies

14 The Cloud defined... Simpler http://www.youtube.com/watch?v=w4flvgb64wy&feature=relmfu

15 The Cloud defined... Best Cloud Computing is the ability to use the power of other computers (located somewhere else) and their software, via the Internet (or sometimes other networks), without the need to own them. They are being provided to you, as a service. Source: http://gnoted.com/what-is-cloud-computing-simple-terms/

16 @Tokyo Data Center Basic facts: Located in Koto-Ku, Tokyo One of world s largest 1.4 million sq. ft. Virtually 100% dedicated to server racks

17 Types of Cloud Services Private Cloud Cloud infrastructure operated solely for a single organization May be managed internally or by a third-party and hosted internally or externally Public Cloud Available to general public for free or on a pay-per-use model Access usually only via Internet Hybrid Cloud Composition of two or more clouds that remain unique entities but are bound together Benefit of multiple deployment models Source: Wikipedia

Relevant Laws 18

19 Dual Use Exports Items designed for commercial purposes Licensing requirement is based on the item, destination, enduser, and end-use Relevant law: Export Administration Regulations (EAR) Regulator: U.S. Department of Commerce, Bureau of Industry and Security (BIS) Jurisdiction follows the item: Entities and individuals outside the U.S. may be liable for re-exports 19

20 Defense Export Controls Controls on items and technology specifically designed or modified for a military purpose License or other specific authorization required for virtually all exports of defense articles, technical data, and services Relevant law: International Traffic in Arms Regulations (ITAR) Regulator: U.S. Department of State, Directorate of Defense Trade Controls (DDTC) 20

21 ITAR/EAR: Definition of Export ITAR Sending or taking a defense article [i.e., any item or technical data] out of the U.S. in any manner EAR Actual shipment or transmission of items [i.e., commodities, software, or technology] out of the U.S. Disclosing or transferring technical data to a foreign person, in the U.S. or abroad Performing a defense service on behalf of, or for the benefit of, a foreign person, in the U.S. or in a foreign country Release of technology or software to a foreign national in the U.S. or in a foreign country Furnishing technical assistance/service to a foreign national in the United States or in a foreign country

22 ITAR/EAR: Technical Information and Services ITAR EAR Technical data - information required for the design, development, manufacture testing or modification of a defense article Defense service - furnishing assistance (including training) to foreign persons in the design, development, etc. of a defense article; furnishing technical data to foreign persons Technology - Specific information necessary for the development, production, or use of a product. The information takes form of technical data or technical assistance Technical data - e.g., blueprints, plans, diagrams, engineering designs Technical assistance - e.g., skills training, instruction, working knowledge, consulting services... may involve transfer of technical data

23 Economic Sanctions Relevant Law: approximately 25 different U.S. sanctions regulations Regulator: U.S. Treasury Department, Office of Foreign Assets Control (OFAC) 23

24 Sanctions (cont.) Jurisdiction over all U.S. persons All U.S. citizens and residents, wherever located All U.S.-organized, incorporated companies or entities All persons in the United States, regardless of nationality In case of Cuba and Iran, non-u.s. entities owned / controlled by a U.S. person also are subject to U.S. jurisdiction 24

25 Sanctions (cont.) Facilitation / Export of Services U.S. person cannot facilitate or otherwise support activity that would be prohibited if performed by U.S. person Providing a service anywhere may be prohibited if benefit of service is received by sanctioned party 25

26 Sanctions (cont.) IMPORTANT POINT: There can be liability for any person, regardless of nationality, who causes a violation 26

27 Regulatory Language on Cloud Computing No definition of cloud computing in the relevant regulations -- Commerce-EAR, State-ITAR, or Treasury-OFAC regulations Only Commerce Department (BIS) has provided official written advice through two Advisory Opinions January 2009 January 2011

28 BIS Advisory Opinion 1 Jan 13, 2009 Requested clarification regarding application of the EAR to grid and cloud computing services. BIS Response: Providing computational capacity services is NOT an export and therefore NOT subject to the EAR. Shipping or transmitting software that is subject to the EAR to a foreign destination or to a foreign person IS an export subject to the EAR. Shipping or transmitting technology that is subject to the EAR to a foreign destination or to a foreign person (technical manuals, instructions, etc.) needed to use the computational service is an export subject to the EAR. Exporting controlled software or technology to and from the cloud is subject to the EAR. Because the service provider does not receive primary benefit from the transaction, NOT considered the exporter. The cloud USER is generally NOT the exporter because not located in the U.S.

29 BIS Advisory Opinion 2 Jan 11, 2011 Requested confirmation that the EAR does not require cloud computing service providers to obtain deemed export licenses for foreign national IT admins who service and maintain the cloud computing system. Key facts: Service provider does not monitor or screen user-generated content stored or shared in the cloud (with exceptions). Certain data stored may constitute technology. BIS Response: Per AO 1, service provider engaged in monitoring or screening activity is not an exporter = No deemed export. However... Only addresses facts outlined in the service provider s letter wherein the monitoring activities are described. Conclusion does NOT apply to release of technology subject to the EAR. Release may constitute a deemed export requiring license.

30 Advisory Opinions (cont.) BIS Advisory Opinions not binding on State-DDTC or Treasury-OFAC In absence of specific regulations and/or official interpretations issued by the agencies, exporters/users need to: establish guidelines and measures derived from the regulatory framework apply internal processes consistently keep good records of steps taken

Risk Mitigation 31

32 Examples of Risk Mitigation In service provider contracts, obtain specific representations and warranties relating to compliance with the ITAR and other applicable export control laws and regulations, and include indemnification clauses and certifications of compliance Confine cloud storage to the US and service only by US Persons Restrict foreign national/person access unless there is an ITAR/EAR authorization in place Beware of access to data by sanctioned persons; don t provide services to sanctioned parties

33 Risk Mitigation (cont.) Conduct awareness training on the export control implications vis-à-vis cloud computing for functions that may use the cloud for data storage and transmission Marketing and sales departments Program managers Engineering

34 Risk Mitigation (cont.) Collaborate with and educate IT and IT Security on export control rules of the road Where is the technical data being moved and stored? Who has access to the technical data? What is nationality of customer (user)? Query: implications of foreign jurisdiction blocking and privacy laws? Understand non-conventional risks such as cybercrime, trade secret theft Encryption of data does not eliminate risk (may mitigate)

35 Risk Mitigation (cont.) Consider Technology Control Plan (TCP) Outlines the procedures used to prevent unauthorized export of and/or access to controlled technology or data Can be required by the ITAR and/or EAR Develop technology and product classification matrix Item description and marking Assists in data segregation

Discussion 36

37 Discussion Encrypted U.S. origin email containing ITARcontrolled data is routed through a server in Calcutta What are the risks? Is an ITAR license required?

38 Discussion (cont.) Access by a foreign national cloud administrator to military code located in a U.S. user s cloud zone What steps can a U.S. user take initially to protect against this?

39 Discussion (cont.) Has an export occurred if: ITAR/EAR controlled technical data is sent overseas? ITAR/EAR technical data is stored on servers located overseas? Foreign nationals/persons have access or are given access privileges to ITAR/EAR technical data in the US or outside the US?

40 Discussion (cont.) Acquired 2012 Manufacturer of aircraft parts classified as EAR99 or 9E991 Purchased specifically to manufacture parts for both ITAR and EAR-controlled applications Post-close, discovered site operating under a Continuing Services Agreement (CSA), whereby Seller provides network and application (e.g., SAP) support via a private cloud Seller located in 3rd country

41 Reminder: Compliance Risks Whether public, private or hybrid, there are risks: Location... If outside US = Export Encryption and physical access controls not sufficient Don t forget location of disaster recovery sites Access... If non-us admin = Export Service agreement must include description of required access controls Limit to items not subject to the EAR or EAR99 Don t outsource regulatory compliance to your service provider. Vital to extend existing IT security standards to the Cloud and audit!

42 Marynell Devaughn Vice President, Associate General Counsel Alliant Techsystems, Inc. Tel: +1 703 412-3234 Marynell.devaughn@atk.com Thank you! Scott Jackson Director, International Trade Compliance Operations & Engineering Pratt & Whitney Tel: +1 860 557-2841 Scott.Jackson@pw.utc.com Thad McBride Partner Sheppard Mullin Richter & Hampton Tel: +1 202 469-4976 tmcbride@sheppardmullin.com