14 / 40
14
2017 California Export Guide
California.Think.GlobalI
t is common these days for com-
panies to store data in the “cloud,”
meaning it is on a server located
somewhere in the world. What if
that data is export controlled?
For example, a company has
defense-related technical data
controlled under the International
Traffic in Arms Regulations (ITAR).
Can it be stored on a server located
outside the U.S.?
In another example, a company
has dual-use technology controlled
under the Export Administration Regulations (EAR). Can the
company move it from a U.S. server to a foreign server?
Data as an Export
Is storing data on a server outside the U.S. considered an “ex-
port?” Under the recently revised definition in the EAR, “export”
means: “An actual shipment or transmission out of the United
States, including the sending or taking of an item out of the
United States, in any manner.”
“Item,” includes controlled information and data. The
regulatory agencies have consistently interpreted “export” very
broadly. Any way a controlled article or data can wind up in
the hands of a foreign person is considered an export. In fact, a
foreign person having access to data and information stored on
a server in the U.S. is also an “export.”
Thus placing controlled data on a server in another country is
an “export.”What do the regulations and interpretations say the
data owner has to do to make it exportable? Or should they just
forget about cloud storage altogether?
A recent Bureau of Industry & Security (BIS – the agency
within Department of Commerce responsible for enforcing
the EAR) rule establishes a “carve out” for transmissions of
controlled technology within a cloud service infrastructure if
there is “end-to-end” encryption of the data. This means that
“data eligible for the carve-out must by definition be encrypted
before crossing any national boundary, and must remain
encrypted at all times while being transmitted from one
security boundary to another.”
Any data sent to a cloud server outside the U.S., or moved
from a U.S. server to a foreign server, or potentially accessed
by a foreign person inside or outside the U.S. must be appro-
priately encrypted before crossing an international border (or
before any potential access by a foreign person). The means
of decrypting the data cannot be provided to any third party
before reaching the recipient.
Cloud Storage Data Requirements
The change to the EAR added some further requirements for
cloud storage of controlled technology:
• The technology must be unclassified.
• The technology cannot be stored in a country subject to a
U.S. arms embargo or in Russia.
• It must be secured using cryptographic modules compli-
ant with Federal Information Processing (FIPS) 140-2
standards, supplemented by software implementation, key
management and other procedures and controls.
What about ITAR rules for cloud storage? An interim Final
Rule, dated Sept. 1, 2016, contained revised definitions to the
ITAR. The rule did not specifically cover cloud storage; how-
ever, its revised definitions of “export,” “re-export” and “release”
encompass transfers of technical data to foreign cloud serv-
ers. Although a cloud storage rule under the ITAR has not been
finalized, controls similar to those under the EAR, ensuring that
sufficient means to prevent foreign persons from having access
to the data, are recommended.
So, do you know where your data is?
Bruce H. Leeds is Of Counsel for Braumiller Law Group
PLLC, which has offices in Los Angeles, Dallas, Toledo
Chicago and Mexico, and is online at
Braumiller.com.Storing Export Controlled Data in the Cloud:
Consider ITAR and EAR Regulations
By Bruce H. Leeds
Bruce H. Leeds