By Chris Brady, GTM Governance, U.S.
On June 3, 2016, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) and the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) published final rules revising key definitions in the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). These revisions are part of the ongoing U.S. export control reform efforts designed to harmonize both the language and structure of EAR and ITAR.
Most of the definitional changes are merely structural or semantic, introduced to enhance clarity and consistency between the two sets of regulations. However, changes within the EAR pertaining to the treatment of cloud computing include an export control reform that may benefit a great number of U.S. companies.
Traditionally, BIS had advised the transmission and storage (outside of the U.S.) of technology or software controlled under the EAR constitutes an export or re-export. Therefore, such transmission or storage could potentially trigger a licensing requirement.
The BIS final rule, effective September 1, 2016, allows U.S. companies to use cloud technology (and other electronic transmission systems) to transfer and store unclassified technology and software subject to the EAR without facing export control licensing requirements –– as long as the transfers and storage meet certain provisions specified within the rule. This is significant because it provides for technology or software that is encrypted in accordance with the specified criteria to not be considered an export, re-export, or transfer when the technology or software leaves one country for another. Thus, if the specified provisions are met, the final rule allows technology or software to be hosted outside the United States without obtaining an export or re-export license that could potentially be mandated under the EAR.
The final rule provides that transmitting or storing electronic data (cloud storage) that meet certain security standards will no longer be considered an export of that data, provided that the technology or software is:
- Unclassified.
- Secured using “end-to-end encryption”.
- Secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means.
- Not intentionally stored in a military-embargoed country (Country Group D:5, per 15 CFR Supplement No. 1 to Part 740) or in the Russian Federation. Note: data in transit via the Internet is not deemed to be stored.
The final rule’s definition of “end-to-end encryption” requires that:
- The technology or software will not be in unencrypted form while between the originator and recipient or these parties’ respective “in-country security boundaries”.
- The means of decryption will not be provided to a third party.
Furthermore, the final rule includes language which states that “access information,” such as decryption keys, passwords, or other information that allows access to encrypted data sent, taken, or stored under this provision, is subject to the same export control requirements that apply if the data were not encrypted. Also, BIS clarified that a victim of a security breach related to encrypted data covered under this provision of the EAR will not be considered responsible for the export, re-export, or transfer of that data, so long as the victim did not provide the access information or otherwise allow the unauthorized infiltrator to gain access to the encrypted data.
It is important to note, DDTC has proposed similar rules regarding the sending or storing of encrypted technology or software controlled by the ITAR. However, the DDTC has not issued a final rule exempting exports of technical data to the cloud from ITAR regulations. Therefore, companies dealing in technical data subject to ITAR controls must be able to differentiate between their treatment of ITAR and EAR controlled data for purposes of cloud storage.