An issue of the highest priority for the US Departments of State and Commerce continues to be the protection of US technical data within the international defence environment.
The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) impose extraterritorial jurisdiction over US military and dual-use technologies. Any Australian organisation managing US technical data must maintain compliance with US regulations for the life of the technology or risk facing potentially significant penalties and losing their trusted status within the Defence sector.
Goal Group authored articles published in February 2019 highlighting technical data protection being prioritised by Australian and US Regulators, and July 2019 focusing on safeguards and security controls for Defence suppliers. This article highlights the risks involved in US technical data management for Australian businesses.
The following four areas are a practical focus for Australian businesses managing US technical data related risks:
1. Understanding US Regulations
Identifying the US approval, jurisdiction, and subsequent classification (think item identification) prior to receipt of any US technical data is paramount to understanding how technical data items must be managed to prevent data being supplied to unauthorised parties.
All exports of US technical data require prior US government approval (in the form of a Technical Assistance Agreement or other authority) unless an exemption or exception applies. This approval will dictate who can access the data, in which locations or territories, the authorised end-use, and any associated provisions or conditions related to its management. An item’s jurisdiction and classification will determine/define the US agency responsible for its control, registering obligations, licensing and brokering responsibilities, and any applicable license exemptions/exceptions.
Further US approval is required before technical data can be transferred to an end-use, end-user, or destination not previously authorised.
We recommend businesses managing US technical data consider a retrospective data assessment if there is any question of compliance risk.
2. Human Error
Ignorance of data management requirements is neither an excuse nor acceptable litigation defence. It is expected within the defence sector that comprehensive staff training is provided which covers US regulation based responsibilities, including third-party sharing, before access to US controlled technical data is provisioned. Data owners are accountable for the security of the data they manage. A poorly informed workforce significantly increases the risk of a data breach.
We recommend Australian defence businesses train their staff with qualified and available export control courses and establish roles and responsibilities of users involved in the management of controlled data.
3. Interrelated Processes
Many organisations mistakenly create export control processes in isolation and fail to connect relevant processes into related functional areas such as Supplier Management, Human Resources and Security. These common disconnects lead to confusion, mistakes and ultimately violations. In these example areas, it’s important to evaluate crucial information and establish how technical data is to be controlled during the procurement phase (Supplier Management), or identifying which employees are/aren’t authorised to access data due to dual/third country national considerations (Human Resources/Recruitment).
We recommend implementing a robust and documented complementary export compliance program for your defence sector business. These programs are affordable, effective and often provide competitive differentiation which helps secure future defence work.
4. Cyber Security
In response to the prolific number of recent high profile data breaches, regulators continue to stress the need for cyber improvements. An effective data security and compliance framework is vital for companies managing US technical data, irrespective of their size. Crucial steps to secure controlled technical data include the use of encryption, systems which limit access to authorised individuals and establishing robust data monitoring and auditing controls.
We recommend implementing cyber software product solutions which are affordable and designed specifically to mitigate many of the related export control risk factors.
We’ve presented four practical recommendations which will protect your brand and your entrusted data. US monitoring agencies such as Blue Lantern are increasingly assessing Australian organisations for compliance. US sanctions imposed due to export control breaches can result in economic and embargo penalties, serious business reputational damage, substantial monetary fines, and the risk of imprisonment.
Note: Kevin Chenney is an Export Control Specialist with Goal Group, Sydney.