09.15.2015 Proposed Amendments Provide Data Security Standard Under ITAR and EAR By: Thomas B. McVey

The Commerce and State Departments have issued long-awaited proposed regulations that provide data security standards for use in the transmission and storage of ITAR-controlled and EAR-controlled electronic data.  If enacted in final form, these proposals could provide an important foundation for compliance in the transmission, storage and “cloud” processing of export-controlled technology/technical data and software.

On June 3, 2015 both the State Department[1] and the Commerce Department[2] issued proposed regulations to harmonize key terms used in the International Traffic In Arms Regulations (“ITAR”) and the Export Administration Regulations (“EAR”).  One of the key terms addressed in both proposals is the definition of the term “export” and the identification of certain activities that would not constitute an export.  As an important part of this, the proposals state that transmitting or storing electronic data that meets certain security standards would not constitute an “export” of the data and hence not be subject to certain export control restrictions.  Specifically the proposals state that sending, taking or storing technology/technical data or software would not constitute an export provided that the following conditions are met:[3]

(i) It was unclassified;

(ii) It was secured using “end-to-end” encryption;

(iii) It was secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications;[4] and

(iv) It was not stored in a country listed in Country Group D:5 (see Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation.

As export compliance professionals are aware, sending or taking ITAR-controlled technical data out of the U.S. (or disclosing it to foreign nationals in the U.S.) constitutes an export and requires an export license, unless a license exemption is available.  Similarly, transferring technology listed on the Commerce Control List may require a license depending upon the terms of the control for the item in question.  Under the proposed regulations, the transmission of controlled technology/technical data to, or storage in, a foreign country under the requisite level of security controls would no longer constitute an export and would significantly simplify the compliance process, provided that the data were continuously encrypted while outside of the United States.

Both proposals, however, provide the important caveat that releasing decryption keys, network access codes, passwords or other information that will permit access by a foreign person to controlled technology/technical data will constitute an export, and will be subject to all of the requirements applicable to export transactions.[5]  Thus, while the proposed regulations provide a safe harbor based on the use of a requisite level of encryption, this must be accompanied by adequate ongoing data security practices in order for the safe harbor to be effective. 

In order to qualify for the exclusion, the transmission or storage of the data must utilize “end-to-end” encryption.  This term is defined in the proposed regulations as follows:

For purposes of this section, “end-to-end encryption” means the provision of uninterrupted cryptographic protection of data between an originator and an intended recipient, including between an individual and himself or herself.  It involves encrypting data by the originating party and keeping that data encrypted except by the intended recipient, where the means to access the data in unencrypted form is not given to any third party, including to any Internet service provider, application service provider or cloud service provider.[6]

Also, to qualify the data cannot be stored in a Country Group D:5 country or the Russian Federation.  This underscores State’s and Commerce’s concerns regarding the risks posed through the location of data in countries with significant national security risks.

Both Commerce and State have long espoused that the improper disclosure of controlled technology/technical data through electronic transmission and/or cloud computing may give rise to export control violations and must be addressed as part of a company’s compliance efforts.  This is reflected in the State Department’s introductory statement in the Federal Register release accompanying the State Department’s version of the proposed regulation:

The Department recognizes that ITAR-controlled ‘‘technical data’’ may be electronically routed through foreign servers unbeknownst to the original sender.  This presents a risk of unauthorized access and creates a potential for inadvertent ITAR violations.  For example, email containing ‘‘technical data’’ may, without the knowledge of the sender, transit a foreign country’s Internet service infrastructure en route to its intended and authorized final destination.  Any access to this data by a foreign person would constitute an unauthorized ‘‘export’’ under ITAR § 120.17.  Another example is the use of mass data storage (i.e., ‘‘cloud storage’’).  In this case, ‘‘technical data’’ intended to be resident in cloud storage may, without the knowledge of the sender, be physically stored on a server or servers located in a foreign country or multiple countries.  Any access to this data, even if unintended by the sender, would constitute an “export’’ under ITAR § 120.17.  (Emphasis added.)

Based on the above, companies are advised to use a high degree of care in transferring and storing electronic data and software that are ITAR-controlled or EAR-controlled in their compliance practices.  If enacted, the proposed regulations will provide valuable clarity and legal certainty to assist in this effort.

The regulations are in proposed form and comments were accepted by Commerce and State through August 3, 2015.  We expect that final regulations will be issued by the agencies within approximately the next six months.

[1] See Proposed Rule, Department of State, International Traffic in Arms: Revisions to Definitions of Defense Services, Technical Data, and Public Domain; Definition of Product of Fundamental Research; Electronic Transmission and Storage of Technical Data; and Related Definitions, Federal Register Vol. 80, No. 106, July 3, 2015, p.31525 et. seq. (the “State Proposal”).
[2] See Proposed Rule, Department of Commerce, Revisions to Definitions in the Export Administration Regulations, Federal Register Vol. 80, No. 106, July 3, 2015, p.31505 et. seq. (the “Commerce Proposal”).
[3] See proposed revision to 15 CFR §734.18(a)(4) set forth in the Commerce Proposal on p. 31517, and proposed revision to 22 CFR §120.52(a)(4) set forth in the State Proposal on p. 31537.
[4] Both the Commerce Proposal and the State Proposal provide the data security standards as set forth above.  In addition, the Commerce Proposal provides in §734.18(a)(4)(iii) that “other similarly effective cryptographic means” will also be acceptable to satisfy the data security requirement.  See proposed revision to 15 CFR §734.18(a)(4).
[5] See proposed §734.13(a)(6) in the Commerce Proposal and proposed §120.17(a)(6) in the State Proposal.  The Commerce Proposal states that the release or transfer of such items “with knowledge” that such release will cause or permit the transfer of other technology constitutes an export.  See the Commerce Proposal proposed revision to §734.13(a)(6).
[6] See proposed revision to 15 CFR §734.18(b) in the Commerce Proposal, and proposed revision to 22 CFR §120.52(b) in the State Proposal.