Storing Export Controlled Data in the Cloud: Consider ITAR and EAR Regulations
By Bruce H. Leeds
Posted: 1st February 2017 09:09
It is common these days for companies to store data in the “cloud”, meaning it is on a server located somewhere in the world. What if that data is export controlled?
For example, a company has defence-related technical data controlled under the International Traffic in Arms Regulations (ITAR). Can it be stored on a server located outside the U.S.? In another example, a company has dual-use technology controlled under the Export Administration Regulations (EAR). Can the company move it from a U.S. server to a foreign server?
For example, a company has defence-related technical data controlled under the International Traffic in Arms Regulations (ITAR). Can it be stored on a server located outside the U.S.? In another example, a company has dual-use technology controlled under the Export Administration Regulations (EAR). Can the company move it from a U.S. server to a foreign server?
Is storing data on a server outside the U.S. be considered an “export?” Under the recently revised definition in the EAR, “export” means: “An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner.”
“Item,” includes controlled information and data. The regulatory agencies have consistently interpreted “export” very broadly. Any way a controlled article or data can wind up in the hands of a foreign person is considered an export. In fact, a foreign person having access to data and information stored on a server in the U.S. is also an “export.”
Thus placing controlled data on a server in another country is an “export.” What do the regulations and interpretations say the data owner has to do to make it exportable? Or should they just forget about cloud storage altogether?
A recent Bureau of Industry & Security (BIS – the agency within Department of Commerce responsible for enforcing the EAR) rule establishes a “carve out” for transmissions of controlled technology within a cloud service infrastructure if there is “end-to-end” encryption of the data. This means that “data eligible for the carve-out must by definition be encrypted before crossing any national boundary, and must remain encrypted at all times while being transmitted from one security boundary to another.”
Any data sent to a cloud server outside the U.S., or moved from a U.S. server to a foreign server, or potentially accessed by a foreign person inside or outside the U.S. must be appropriately encrypted before crossing an international border (or before any potential access by a foreign person). The means of decrypting the data cannot be provided to any third party before reaching the recipient.
The change to the EAR added some further requirements for cloud storage of controlled technology:
The technology must be unclassified;
It must be secured using cryptographic modules compliant with Federal Information Processing (FIPS) 140-2 standards, supplemented by software implementation, key management and other procedures and controls;
The technology cannot be stored in a country subject to a U.S. arms embargo, or in Russia.
What about ITAR rules for cloud storage? An interim Final Rule, dated 1 September 2016, contained revised definitions to the ITAR. The rule did not specifically cover cloud storage; however, its revised definitions of “export,” “re-export” and “release” encompass transfers of technical data to foreign cloud servers. Although a cloud storage rule under the ITAR has not been finalised, controls similar to those under the EAR, ensuring that sufficient means to prevent foreign persons from having access to the data, are recommended. So – do you know where your data is?
Bruce H. Leeds is Of Counsel for Braumiller Law Group PLLC, which has offices in Los Angeles, Dallas, Toledo Chicago and Mexico. Bruce Leeds has decades of experience in international trade law and has successfully served his clients in diverse capacities, from classification and due diligence to ITAR compliance and drawback. He has significant expertise with importing and exporting technology.
“Item,” includes controlled information and data. The regulatory agencies have consistently interpreted “export” very broadly. Any way a controlled article or data can wind up in the hands of a foreign person is considered an export. In fact, a foreign person having access to data and information stored on a server in the U.S. is also an “export.”
Thus placing controlled data on a server in another country is an “export.” What do the regulations and interpretations say the data owner has to do to make it exportable? Or should they just forget about cloud storage altogether?
A recent Bureau of Industry & Security (BIS – the agency within Department of Commerce responsible for enforcing the EAR) rule establishes a “carve out” for transmissions of controlled technology within a cloud service infrastructure if there is “end-to-end” encryption of the data. This means that “data eligible for the carve-out must by definition be encrypted before crossing any national boundary, and must remain encrypted at all times while being transmitted from one security boundary to another.”
Any data sent to a cloud server outside the U.S., or moved from a U.S. server to a foreign server, or potentially accessed by a foreign person inside or outside the U.S. must be appropriately encrypted before crossing an international border (or before any potential access by a foreign person). The means of decrypting the data cannot be provided to any third party before reaching the recipient.
The change to the EAR added some further requirements for cloud storage of controlled technology:
The technology must be unclassified;
It must be secured using cryptographic modules compliant with Federal Information Processing (FIPS) 140-2 standards, supplemented by software implementation, key management and other procedures and controls;
The technology cannot be stored in a country subject to a U.S. arms embargo, or in Russia.
What about ITAR rules for cloud storage? An interim Final Rule, dated 1 September 2016, contained revised definitions to the ITAR. The rule did not specifically cover cloud storage; however, its revised definitions of “export,” “re-export” and “release” encompass transfers of technical data to foreign cloud servers. Although a cloud storage rule under the ITAR has not been finalised, controls similar to those under the EAR, ensuring that sufficient means to prevent foreign persons from having access to the data, are recommended. So – do you know where your data is?
Bruce H. Leeds is Of Counsel for Braumiller Law Group PLLC, which has offices in Los Angeles, Dallas, Toledo Chicago and Mexico. Bruce Leeds has decades of experience in international trade law and has successfully served his clients in diverse capacities, from classification and due diligence to ITAR compliance and drawback. He has significant expertise with importing and exporting technology.
Bruce can be contacted on 214-348-9306 or by email at Bruce@BraumillerLaw.com
Comments