Is Your ITAR Controlled Data AWOL?

Do you know whether your business is covered by the International Traffic in Arms Regulations (ITAR)? Even if your organization does not export military products and services, ITAR’s coverage extends to entities that handle data involved—sometimes tangentially—in defense-related industries.

ITAR requires any U.S. company or person that exports “defense articles” within the purview of the United States Munitions List (USML) to obtain government authorization before engaging in any export activity. The USML covers broad categories of items including firearms, ammunition, missiles, explosives, aircraft, and personal protective equipment, among many other things. ITAR also covers entities that share technical data involving the “design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles” that fall within the USML categories, even when no physical export takes place. The data can take the form of documents, blueprints, drawings, photographs, plans, or instructions.

Companies subject to ITAR should build a comprehensive compliance program that addresses data shared with third parties, such as e-discovery and cloud computing service providers, which could qualify as an “export” if sent to a foreign country or shared with a foreign person within U.S. borders. Some important steps to take to avoid running afoul of ITAR when working with third parties include the following:

1. Identify controlled data. Take steps to isolate ITAR data before sending it to third parties. Use analytics to scan data repositories for technical data, unlock hidden patterns, and cluster documents into conceptually related buckets for review. Conceptual search tools can identify patterns in documents based on keywords or chunks of text and highlight documents that refer to the USML categories.
2. Ensure your business partners are ITAR compliant. Ask all third parties to confirm their agreement to take reasonable measures to prevent the unauthorized disclosure of ITAR controlled data, such as preventing users from downloading, printing, or transmitting any information and running criminal background checks on potential employees. Also, make sure vendors do not store your data on servers located outside the United States.
3. Adopt access controls and permissions. Take precautions to prevent unauthorized parties from accessing and sharing technical data that resides in a structured environment, such as a database. For example, provide separate physical access for any projects involving the processing, collecting, or review of ITAR data. A separate secure database can offer another layer of security against unauthorized or inadvertent access to data during document reviews. The same can be applied to sources of unstructured data, such as Microsoft Word documents, Excel spreadsheets, engineering drawings, maps, email, social media and chat.
4. Be litigation ready. A big challenge for many companies is that their legacy data lacks classification, and is thus not well controlled day-to-day and more so in the case of litigation or an investigation (not to mention larger information governance considerations). It is critical to have a litigation readiness plan in place that enables professionals within the company to locate the legacy data, classify it and have a go-forward process for classifying data at the time of creation.

Taking steps such as these to identify and protect technical data is particularly important, as the government agency charged with enforcing ITAR, the Directorate of Defense Trade Controls, is likely to take a more favorable view of companies that follow a rigorous compliance program and voluntarily remedy failures to comply. Otherwise, violators are likely to suffer severe penalties, including multimillion-dollar fines.

Sheila Mackay is vice president at Conduent. She can be reached at smackay@conduent.com.