Offshoring IT Could Mean You're Technically an Exporter
Deemed Export ... Say what?
As far as the federal government is concerned, any time you physically transfer, wire, fax, EDI, email, or in one-way-shape-or-form, transfer technology or intellectual property to a foreign national, be they in your employee, a wholly owned subsidiary, or in another country, you have exported goods from the U.S. and are subject to all export control regulations. This includes not just products and information but also services in the form of technical assistance. More information can be found in section 734.2(b)(2)(ii) of the Department of Commerce's (DOC) Export Administration Regulations.
The purpose for the regulations is to protect U.S. security since a great number of technologies have dual-use applications in both commercial and military applications. In this day and age, the US is very concerned about the proliferation of weapons of mass destruction to terrorist groups or any technology that could aid them in their goals of creating or acquiring such weapons.
In case you were wondering, all foreign nationals are covered unless they fall under an exemption such as having a green card. This includes students, interns, contractors, vendors, outsourcing groups, etc. Any foreign national who could have access to the technology (source code, plans, etc.) presents a risk.
As part of your outsourcing agreement, you must make sure none of the software being developed or tools used, such as add-on libraries, will run you afoul of export regulations. Furthermore, if outsourcing helpdesk or technical support functions, be aware that there are export issues there as well.
Dual Use Technologies
At a high-level the concern is primarily over weapons and dual-use technologies. For example, we can all agree that shipload of military-grade explosives going to a terrorist is a bad thing. However, dual-use technologies necessitate special consideration. Let's say you have a new processor for controlling lathes that allows a CNC lathe to do a lot more than what was possible before. Is it a weapon? No. Could it be used to make a weapon? Possibly. If so, you need to be concerned about the technology, who the receiving party is, where they are located and what their intended end use is. Again, this is where it pays to work with people who are versed in export compliance.
Let's look at a different angle: suppose an employee emails a CAD drawing for a new missile design to an employee in another department for review who happens to be a foreign national with an H1B visa. In that case, a deemed export took place. At issue are where the H1B employee came from and whether technology of the type designed in the CAD file is legal for export to his home country or not -- and this type of technology is definitely controlled. Another point is export compliance must be handled in advance, not after the fact.
The Department of Defense (DOD), DOC, US State Department and other agencies all can limit what can and can not be exported. I mentioned the DOC and their Export Administration Regulations (EAR), but truth be told, there can be a lot of agencies all having regulations for certain items and the path must be carefully traversed by someone with sufficient professional knowledge to work with the agencies involved and keep the company in compliance.
Also, an adverse finding from a regulatory body in terms of failing to meet U.S. export regulations could trigger an Securities & Exchange Commission (SEC) disclosure under the Sarbanes-Oxley Act f 2002.
What to Do About It
For work that IT is directly involved with, carefully research and document the technology being used and the nationalities that comprise the proposed partner group. Work with professionals trained in export regulations to ensure all the details are covered and the organization will be in compliance with all applicable laws. Yes, these professionals may cost money ($1,500/day is common for external resources) and the process is lengthy, but the potential penalties can be severe. But do not succumb to "just do it" mandates. Take the time to ensure all documentation is in order. When in doubt, seek formal guidance from the appropriate regulatory agency.
As the above email example illustrates, IT must not only be concerned about their own technology, but work with the organization's compliance group to ensure that appropriate controls are in place to try and limit risk for the organization. In other words, services provisioned by IT may be used legitimately, or exploited due to poor security, to allow deemed exports to take place. It is not the intent of the article to say that IT must handle everything. The point is that IT should work with the compliance department to see what controls are possible to help reduce the organization's exposure.
For Additional Information see:
George Spafford is an IT process consultant. George has more than 12 years of experience in the fields of information technology and management.