Cyber threats and controlled data
The risks of violating export controls regulations due to a cyber incident
How can (European) companies be held liable and scrutinized by US authorities for violating US export controls legislation in case data has been disclosed by a cyber threat, such as a hack or a data leak? What can you do to prevent these violations and if they have occurred what can you do to minimize the damage?
Am I exporting data when a Chinese hacker has hacked my systems? If so, can I be held liable for violating export controls regulations? As ironic as that may sound, you might be facing these discussions if you do not prepare well for a cyber incident.
A theft of information from your computer systems as a result of foreign cyber actors could be not just a threat to your company’s competitive lifeblood: intellectual property – but could even be seen as a threat to national security interests in the case of export controlled data. Recently, a citizen and resident of the People’s Republic of China, pleaded guilty before U.S. District Judge for unauthorized accessing (‘hacking’) information from The Boeing Company. But what if you have been hacked and the attacker(s) are not known?
What is an export?
According to the US Export Administration Regulation (EAR), ‘export’ means an actual shipment or transmission of items out of the United States. The European equivalent defines an export as the procedure whereby goods are taken out of the customs territory of the EU and includes transmission of software or technology by electronic media, telephone, e-mail or any other electronic means to a destination outside the EU. As can be seen, both definitions include technology and data.
What about cyber threats?
Although the US and EU export controls regulatory framework defines an ‘export’ and ‘transmission of technology and data’, they are not clear whether this includes cyber threats. The question is whether a data leak or hack is considered an export and, more importantly, who is responsible?
The US State Department Directorate of Defense Trade Controls (DDTC) has recently expressed a broad view on export: “When military controlled data (ITAR) is released or stored on servers outside the US or in case such data is released to non-US persons, these are exports that require authorization”. This position is confirmed in the judgement of the Chinese citizen hacking into Boeing’s computer systems. A data breach whereby military controlled data is released outside the US would require mandatory and immediate reporting to DDTC.
The US Bureau of Industry and Security (BIS) has informed that it will follow this broad view on exports, meaning that an unintentional disclosure of controlled data as a result of a hack or data leak, will be considered an export for which authorization would be required. Contrary to DDTC, BIS does not require mandatory reporting, but encourages the submission of a voluntary self-disclosure.
From this it can be concluded that not only the cyber actors are prosecuted (if even caught), but your company is also at risk of being scrutinized by US authorities for violating export controls regulations in case of a data breach.
What does this mean for you
The United States enforces its legislation extraterritorially. Any link that can be made with the US would mean that the US authorities can scrutinize your company anywhere in the world for violating US export controls legislation.
Now that the US authorities expressed that export also includes data leakages or hacks whereby controlled data is potentially disclosed to non-US persons, this makes companies even more vulnerable for US prosecution. This affects e.g. companies trading in goods which include US content, related content on their servers and even companies that do not trade products, but may have US export controlled data on their servers.
So far the EU authorities have not copied the broad view of their US counterparts on exports and cyber threats. On the other hand, discussions on the US-EU free trade agreement TTIP are still ongoing and data privacy and data flows are hot topics during the negotiations.
What can you do?
From an intellectual property perspective companies focus more and more on their security controls to prevent data floating out of the company unintentionally – and to be able to timely detect a breach and have a good response organization in place.
However, we often still see these preparations being conducted in relative isolation, driven from IT and security teams. A more business-focused approach, including representatives from various teams in your preparations and as members of your incident response team will go a long way.
US authorities expect that you have assessed the risks and that cyber security is in sync with your business environment.
There are three approaches:
Approaches to cyber threats
The ultimate test is to conduct a cyber incident simulation, putting the plans to the test. By conducting these tests from a broad perspective – including regulatory aspects like export controls – you will be able to determine the answers to the questions above and to assess if your organization is capable of a fast and effective response to a disruption or hack.
Would you like more information on export controls and cyber threats? Please contact Pascal Huizinga via +31882884514 or Theodorus Niemeijer via +31882881978.