Cloud Computing’s Hidden Export Regulation Risks
February 24, 2012
Thousands of Americans export data overseas every day without U.S. government authorizations and don’t even know it. How? By using cloud-computing services, ranging from personal services like Gmail to large-scale enterprise data storage solutions. While cloud-based services have become a valuable tool for improving efficiency, outdated government regulation leaves cloud users exposed.
Here’s an example. Imagine you’re an engineer working for a small firm in Indiana that uses a cloud service for data storage. One day you realize the company’s aluminum valves, used only by U.S. customers, could be improved with a redesigned “butterfly” mechanism. You revise the design specifications on your desktop computer and click “save.” Your company’s cloud provider routes your document to its network’s least burdened location—which happens to be in India—for storage…
Guess what? Controlled technical information was just exported to India without U.S. government authorization.
Under a literal interpretation of the U.S. Department of Commerce’s Export Administration Regulations (EAR), you and your company would be subject to penalties totaling up to $250,000 per violation. (If the data were military technology under the U.S. State Department’s purview, civil penalties could reach $500,000 per violation.) Violations are subject to “strict liability”—you would be on the hook even if you didn’t intend to “export,” or even if you didn’t know your technology is subject to controls.
But here’s the kicker: It’s unclear whether the U.S. would apply the rules literally, though there’s reason to conclude that the government would pursue this kind of case if the data involved were particularly sensitive and if the cloud user had failed to take appropriate steps to minimize risk. Only one of the various federal agencies responsible for trade controls has addressed cloud computing, however, and its guidance raised as many questions as it answered. This leaves compliance-minded companies in limbo. But while the lack of clarity causes heartburn for many, it also creates a golden compliance opportunity.
How Cloud Computing Causes Exports
Before analyzing the limited official guidance available, it’s important to understand how these services lead to inadvertent exports. Cloud computing is an innovative approach to reducing the growing cost of data storage and processing power. Instead of expanding their own IT infrastructure, companies can rely on outside providers for data storage and data processing.
Of course, “cloud” computing—so named because of the images that represent the Internet on data transmission diagrams—actually takes place on physical servers located somewhere, not in the mythical ether. And because cloud services are primarily valued for their cost-effectiveness, that “somewhere” is often an inexpensive location overseas.
Cloud users often have no control over—or even knowledge of—the locations where their data is stored. Moreover, the storage location can change at any time, based on the cloud provider’s resource needs and without the user’s input or knowledge. This easy mobility is one of the great virtues of the cloud, as providers can shift data rapidly in response to network events or take advantage of less congested storage options.
The compliance challenge for cloud users arises because of the fundamental tension between cross-boundary remote computing and trade controls. The applicable regulations—principally those enforced by the Departments of Commerce and State—define “exports” broadly to include data shipped or transmitted (even in electronic form) from the United States to a location abroad (or to a foreign national within the United States). These regulations extend far beyond data related to high-sensitivity or military-grade products. They can apply to a huge array of products and technical data—including seemingly low-sensitivity goods like certain engines, pipes, chemicals, ovens, and metals.
Reading the Tea Leaves
Of the U.S. agencies that regulate exports, only one—the Bureau of Industry and Security (BIS) within the Commerce Department—has provided even limited guidance on cloud computing. This dearth of guidance highlights the compliance challenge and also reflects a tacit acknowledgment that the existing regulations are poorly suited for this evolution in data handling.
BIS has released two cloud-computing advisories, both in the form of letters responding to requests submitted by unnamed cloud providers (not cloud users). The first letter, from January 2009, implicitly concluded that cross-border transmissions are exports, but it explained that the cloud service provider isn’t the exporter. This, BIS explained, is because the provider doesn’t receive the primary benefit of the transaction. BIS further reasoned that cloud providers’ services are not subject to the EAR because the provider is not shipping or transmitting anything (commodity, technology, or software) to the user. While helpful for cloud providers, BIS’s conclusions beg the question of whether a cloud user would be considered an exporter subject to the EAR. The guidance letter suggests strongly that the answer is yes.
BIS released additional (and narrower) guidance in January 2011, again directed only at cloud providers’ obligations. BIS stated that if a cloud provider employs foreign nationals, the provider generally is not liable for export control violations if the foreign nationals have access to the cloud users’ controlled data. (Under the “deemed export” rules, allowing a foreign national access to controlled data within the United States is legally equivalent to exporting the data to that person’s home country.) BIS returned to its 2009 guidance for the explanation: The provider is not an exporter because it isn’t transmitting anything to the cloud user. And, since it’s not an exporter, it cannot have made a “deemed” export to the foreign national.
Though narrow, BIS’s guidance is helpful for cloud providers (again), but it leaves big questions unanswered: If the cloud provider isn’t the exporter responsible for the deemed export, who is? The cloud user who stored the data on the provider’s system? Even if it had no reason to know that the cloud provider employs foreign national IT staff? BIS didn’t say.
The fact that BIS has issued only these two letters to date—and other agencies have issued nothing—is telling. Cloud users have surely sought guidance from BIS and the other key federal agencies. The likelihood is that the agencies have not responded because they have (so far) been unable to develop a logically coherent approach.
The federal government’s enforcement practices are also informative. Cloud computing has existed for some time now, and it almost certainly has resulted in a sizeable quantity of unauthorized exports since BIS issued its first guidance letter more than three years ago. But despite this presumably large volume of cloud computing exports, and despite the strict liability standard, none of the federal agencies with trade control responsibility has undertaken any public enforcement action. The lack of enforcement suggests again that the regulators haven’t figured out how to approach the cloud.
The Compliance Opportunity
The lack of clear guidance and the absence of enforcement activity present a valuable opportunity for companies to take compliance steps now to mitigate potential future liability. Even if the U.S. government ultimately issues more demanding guidelines, taking a few manageable steps now can help limit liability by demonstrating an ethic of compliance and an attempt to manage risk against a backdrop of regulatory uncertainty. Some basic steps to consider include:
Classify Products and Data. If you haven’t done so already, first determine whether your products, services, and associated data are controlled under the EAR or the State Department’s United States Munitions List. Start this assessment by simply reading through the control categories (available on the agencies’ websites). While it may be useful to work with expert counsel in some cases, many companies can manage this project internally—a wide array of products and data clearly are not subject to control. If yours are not controlled, then you can rest easy.
Segregate Controlled Data. If there is controlled information in the mix, you need to take steps to avoid inadvertent exports through the cloud. For example, you could separate controlled data from uncontrolled, and remove all of the controlled information from the cloud—by, for example, storing it on your company’s own servers located in the United States.
Require Storage on U.S. Servers. Alternatively, you can work with a provider that guarantees not to use any servers located abroad or, if it does have servers overseas, not to store your data on them. This approach is not ironclad—in the event the provider breached the guarantee, you would still be on the hook for an unauthorized export. But it’s still a constructive step that would help you tell a compelling narrative in the event of an enforcement action.
Restrict Foreign Nationals’ Access. If you store controlled data in the cloud, you should also seek guarantees from your cloud provider that its foreign national employees and contractors are not in positions that allow them to access your data. While Commerce has clarified that the provider may not face liability, the government has provided no comparable assurance for the user.
Seek Licenses. As a nearly fail-safe solution, companies that use cloud services for controlled data can seek a license (from Commerce or State, depending on the data) authorizing exports based on the cloud’s operation.
Prioritize Training. Companies should also implement “cloud” training as part of their trade-controls compliance programs. Among other things, the compliance program should include periodic reassessments of the control classifications applicable to your products and data, and it should clearly identify the procedures applicable to storing and accessing controlled information. Unlike many other export-related compliance measures, which may be relevant only to certain individuals or departments in your company, the cloud training will be necessary for anyone who has access to controlled technology and the cloud system.
Write It All Down. Finally, and perhaps most importantly: keep clear records. Documentation of your efforts to enhance compliance and protect controlled data will be vitally important in the event enforcement agents knock on your door.