Question: I read in the Daily Bugle recently about a small family-owned business in Maryland with only ten employees that had to pay a $78,750 penalty for alleged export violations. The article said they had shipped three HVAC duct fabrication machines to a company in China and received payments for them “without authorization from OFAC.” Can you tell me what this is all about? I’m familiar with ITAR and EAR export controls, of course. As a U.S. manufacturer and exporter, my company is registered with the State Department’s DDTC, and we’ve applied for multiple BIS export licenses using the SNAP-R system, but this was new to me. How much do I need to know about OFAC? Bottom line: how critical is this for my company?

Yes, you should know about this. Not knowing can be costly and painful, as that company you read about in the news—Precision Products Inc. (PPI) of Charlotte Hall, Maryland—learned to their dismay earlier this year. You, too, are among those to whom OFAC regulations apply.

OFAC, the Office of Foreign Assets Control, is an often overlooked but extremely powerful and far-reaching agency of the Treasury Department. Its mission is to administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals. Many of these sanctions programs—prohibitions on financial dealing—have been put in place by the U.S. Government to ensure that companies don’t unwittingly do business with terrorist organizations, sanctioned countries, nationals of some countries, and other specified entities who are engaged in activities related to the proliferation of weapons of mass destruction or other threats. Some OFAC sanctions are based on United Nations and other international mandates, and are therefore multilateral in scope, involving close cooperation with allied governments.

OFAC acts under Presidential wartime and national emergency powers, as well as authority granted by specific legislation. The agency has the authority to prohibit U.S. citizens and corporations from making payments, or providing anything of value, to embargoed countries, businesses, organizations, or individuals. It has the power to impose controls on business transactions of all kinds and freeze any assets that are under U.S. jurisdiction. It publishes the constantly updated list of over 6,000 names–the Specially Designated Nationals List (“SDN List”)–of companies and individuals whose assets are blocked. This is a “black list”: Americans are expressly forbidden to enter into transactions with any of these companies and individuals. U.S. exporters and importers are required to exercise due diligence in searching the SDN List and confirming that dealings with foreign countries are not in violation of OFAC sanctions programs.

In addition, OFAC prohibits travel to, and certain other dealings with, embargoed countries and entities. There are a handful of countries commonly referred to as “OFAC countries” or “embargoed destinations”—a few of the most widely known in recent years have been Cuba, Iran, North Korea, Sudan, and Syria—to whom comprehensive trade sanctions, administered by OFAC, have been applied. In other cases, the economic sanctions have taken a variety of forms, including arms embargoes, capital restraints, asset freezes, and trade restrictions.

Has OFAC been around for a long time? As an arm of the Treasury Department that sets out and enforces trade sanctions issued by the U.S. Government, OFAC is arguably one of the oldest law enforcement agencies in the country. It dates back prior to the War of 1812, when Treasury was first authorized to administer U.S. economic sanctions imposed against a hostile foreign power—in that case, Great Britain, which was harassing American sailors. In more recent times, between 1940 and 1947, Foreign Funds Control (FFC) and the Office of International Finance (OIF) were established as units of the Treasury Department, with legal authority deriving from the Trading with the Enemy Act (TWEA). FFC administered controls over enemy assets and restrictions on trade with enemy states during World War II. It was abolished in 1947, and its functions were transferred to the OIF. In 1950, the OIF morphed into the Division of Foreign Assets Control, when President Truman declared a national emergency and blocked all Chinese and North Korean assets subject to U.S. jurisdiction following the entry of the People’s Republic of China into the Korean War. In 1962, the Treasury Department changed the agency’s name to OFAC.

How critical is OFAC compliance? Absolutely critical. Understanding and monitoring OFAC compliance is a must for U.S. businesses who have foreign suppliers, customers, or clients, or who work with overseas partners. Exporters and importers who are “U.S. persons”—a regulatory term that should be well known to any compliance officer acquainted with the ITAR—are responsible for following OFAC regulations designed to halt terrorist and other illegal funds from circulating. In certain cases, foreign subsidiaries owned by U.S. companies and foreign persons in possession of U.S.-origin goods are also required to comply. So, if you are a small business owner or an individual doing business overseas, you need to familiarize yourself with OFAC. And if you are a company officer or manager in an industry with significant foreign trade, you need to make sure that OFAC compliance is an essential component of your corporate compliance program.

Penalties for violating the regulations administered by OFAC are serious, and have grown even more serious in the last few years. Depending on the sanctions program, potential criminal penalties for willful violations include fines ranging up to $20 million and imprisonment of up to 30 years. Civil penalties for violations of the Trading With the Enemy Act (TWEA) can be as much as $65,000 for each violation. Civil penalties for violations of the International Emergency Economic Powers Act (IEEPA) can range up to $250,000 for each violation, or twice the gain from the violation, whichever is greater. Over the past several years, the number and monetary value of enforcement actions by OFAC have increased dramatically: civil penalties and settlements rose from about $3.5 million in 2008 to more than $1.2 billion in 2014. These are not penalties that can simply be written off as “the cost of doing business”!

Yet OFAC compliance is the most commonly misunderstood and most likely to be forgotten element in corporate export compliance programs. Discussions of U.S. export controls are frequently dominated by and focused on ensuring compliance with the ITAR and EAR, while OFAC regulations are overlooked or undervalued. Yet OFAC rules generally override all other export controls, and OFAC restrictions may apply even when an EAR license exception or ITAR exemption is available.

The widespread tendency to underestimate the importance of monitoring OFAC compliance is especially problematic because OFAC’s programs are dynamic: the embargoes and sanctions, the scope and details of the restrictions, and the names on the SDN List and other lists change very frequently. What is more, new lists may appear at any time, as U.S. foreign policy refocuses in response to a rapidly changing world scene—witness the Sectoral Sanctions Identification List (“SSI List”) that OFAC issued in 2014, targeting transactions with persons in four sectors of the Russian economy: financial services, energy, defense, and mining. It is essential therefore that exporters check the Treasury web site frequently and have the necessary processes and internal controls in place to monitor compliance continuously. Firms with weak processes and controls limit their ability to prevent violations, or to detect and quickly deal with them if they do occur. They run significant risks of heavy fines and other damaging consequences.

In Part Two of this post, we’ll take a look at the three kinds of OFAC export authorizations available to U.S. companies—Exemptions, General Licenses, and Special Licenses, explain when you may need an OFAC Special License and how you can apply for one, and clear up a couple of common misconceptions. (No, OFAC requirements don’t impact only banks and financial institutions!)

In Part Three, we’ll look at the essential ingredients of a robust corporate OFAC compliance program. (Hint: simply checking your customers’ names and addresses against the SDN List is not enough!)

In today’s challenging international environment, the economic and trade sanctions administered by OFAC are likely to play a larger and larger role in cross-border transactions. It will be important for U.S. exporters to understand these controls thoroughly and keep abreast of changing requirements in order to focus on maintaining full compliance. The Export Compliance Solutions Training Academy provides a variety of training options—including 2-day regional seminars, in-house training, and live web-based seminars—that afford comprehensive coverage of ITAR, EAR, and OFAC controls, supplemented by case studies, practical advice, and help with strategic planning for your business. Check out the information on our web site about course offerings and online video training in export compliance awareness for your employees. Contact us by phone or e-mail to learn more. The ECS staff represents the most recognized expertise in the compliance field. We’re here to help!

Question: Thanks for the heads-up last week about the compliance risks of storing sensitive data in the cloud—and the good news that regulatory changes may be ahead. Are there other revisions to the EAR and ITAR in the works that are likely to impact my company’s policies for safeguarding export-controlled technology and technical data? As I look at the Proposed Rules published by State and Commerce on June 3, I get the impression that they’re mostly about definitions—clarifying the meanings of certain technical terms. How important is all that stuff, practically speaking, to a firm like ours?

Very important. Compliance requirements and potential violations often hinge on the definition of a single word! So you really need to review these proposed new definitions carefully—both the Commerce Department’s proposed revisions to the definitions in the EAR and the State Department’s proposed revisions to definitions in the ITAR— to determine what impact they would have on your operations and compliance obligations, should they be adopted.

As I’m sure you’re well aware, U.S. export controls under the ITAR for defense articles and services contrast sharply with the (generally) more liberal controls under the EAR for “dual-use” commodities, software, and technology. For that reason, it’s critically important that you determine accurately whether or not the items or technical data you plan to ship or transfer internationally are subject to ITAR controls. Making that jurisdictional determination requires paying careful attention to the current USML and the appropriate categories within the USML that apply to the export in question.

That’s one of the reasons it’s also vital that you follow closely all the recent changes that have been made to the USML—and the “600 series” ECCNs of the CCL— due to the ongoing Export Control Reform initiative, as well as those changes that are still being made. And that most emphatically includes proposed revisions to the definitions of terms!

The Proposed Rule published by the DDTC on June 3 is notable for its length (14 pages of hard copy in the small print of the triple-columned Federal Register) and for the unusually large number of revisions to the ITAR that are proposed. It contains a plethora of new definitions for regulatory terms, making it a veritable dictionary. Many of the proposed revisions are meant to harmonize the ITAR rules with those of the EAR. The BIS published a similar Proposed Rule with conforming amendments.

The key terms and phrases that would be redefined, clarified, updated, or adopted under the June 3 Proposed Rules include the following:

Technology
Technical Data
Public Domain
Fundamental, Basic, and Applied Research
Development
Production
Required
Defense Article
Defense Service
Characteristics and Functions (of an item)
Peculiarly Responsible
Export
Reexport
Release
Transfer (in-country)
Retransfer
End-to-end Encryption

For exports controlled by the ITAR, two of the proposed new definitions are especially noteworthy: “public domain” (vs. “technical data”) and “defense service.” That’s because these definitions potentially apply to every single category of the U.S. Munitions List.

We’ll take a closer look at the first of these this week, and discuss the second and more controversial of the two in a future post.

Revisiting “Public Domain”

The State Department proposes to revise the definition of “public domain” in ITAR Section 120.11 in order to simplify, update, and introduce greater versatility into the definition. The current version of ITAR Section 120.11 enumerates the ways in which “public domain” information might be published. State says that it now believes that defining “public domain” by a list such as this is unnecessarily limiting in scope and insufficiently flexible, given the continually evolving array of physical and electronic media and communication technologies by which information can be disseminated. The new definition they propose is intended to be more versatile than the list-based approach to identifying public-domain information sources.

Under the State Department’s proposed revisions to definitions in the ITAR, unclassified information and software are considered to be in the public domain—and thus not technical data or software subject to the ITAR—“when they have been made available to the public without restrictions upon their further dissemination such as through any of the following . . . .” Among the means of dissemination mentioned, 120.11(a)(4) is of special interest, as it includes in the “public domain” information available on publicly accessible web sites:

(4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public;

There are some important qualifications that should be carefully noted, however.

One well-known consequence of the open, uncontrolled nature of the internet is that a vast amount of information can be found online that was uploaded illegally, in violation of a wide range of national and international laws governing copyrights, patents, privacy, public safety, national security, and many other matters. Plainly, the discovery of certain technical data, information, or software on a web site carries no guarantee that the individual or organization posting it hasn’t done so in violation of U.S. export laws and regulations.

With regard to such contingencies, a note to the proposed revision to ITAR Section 120.11 warns that anyone exporting, reexporting, or retransferring export-controlled information found on the internet, or otherwise making it available to the public, will be committing an export violation.

Taken together, the new definition and the warning that accompanies it raise the specter of inadvertent illegal exports of ITAR-controlled technical data by U.S. exporters who had no reason to suspect that the information they were making use of was not in the public domain, given that it was already freely available to the public via the internet. Evidently foreseeing this concern, the DDTC immediately reassures exporters, in a second note to the new Section 120.11, that in such cases a person will not be considered guilty of an export violation . . . unless — as described in the revised Section 127.1(a)(6) — “such person has knowledge that the technical data or software was made publicly available without an authorization.”

But here’s the rub: how can your company be certain that any item of technical information found on the internet was properly cleared for public release before being uploaded? And if your company should inadvertently disseminate technical data that later turns out to have been controlled by the ITAR and uploaded to the internet by somebody else without DDTC authorization, how would you be able to prove that you did not “have knowledge” that it was export-controlled? Those are just a few of the questions and concerns that have been raised about the language of this proposed revision to ITAR Section 120.11. Discussions of these concerns between the regulatory agencies, the defense industry, the research universities, and the legal community are ongoing. It is possible that the language in the Proposed Rules will be revised as a result of those discussions. Whenever the DDTC and BIS publish their Final Rules on the definitions of these key terms — possibly within the next few months — we may find that some of these points have been addressed and further clarified.

Stay on the Safe Side

Be that as it may, here is what we recommend to you as the safest policy and procedure for your company under the current regulations — and none of the revisions currently under consideration by the DDTC or BIS is likely to change this greatly: before posting to the internet any technical information about your company’s products or research, other than non-proprietary general system descriptions or information on the basic function or purpose of an item, thoroughly review the USML and the CCL to determine if the information falls under U.S. export controls. If there is doubt about export jurisdiction, request a Commodity Jurisdiction determination from the DDTC; and if State should determine that ITAR controls apply, obtain an export license for the technical data, or request authorization for “release” of the document you want to post online from the appropriate agency, as described in Section 120.11(b).

Remember that knowingly uploading controlled technical data to the internet without appropriate authorization is a export violation that could have extremely serious penalties and consequences, for both you and your company, whether or not there is any evidence that a foreign national has read or downloaded the data. Don’t needlessly put yourself and your company at risk.

Paragraph (b) of the revised definition explicitly sets forth the DDTC’s requirement of authorization to release information into the “public domain.” This requirement is not new: it also exists under the current rules; the revised rules would state it more explicitly and amend some definitions to clarify the scope of the information covered, but the requirement is already there. Before you can make such information available, the U.S. Government must approve the release through one of the following agencies: (1) The State Department’s DDTC; (2) the DoD’s Office of Security Review (OSR); (3) a relevant U.S. Government contracting authority, if one exists, with the authority to allow the technical data or software to be made available to the public; or (4) another U.S. Government official with the proper authority for this.

In many cases, we believe that requesting a security review by the OSR will be the best and wisest route you can take in order to safeguard your company against the risk of an export violation. Guidelines for submitting documents for review can be found on their web site.

The experienced compliance professionals at Export Compliance Solutions (ECS) are well-positioned to advise you regarding the impact that the revised definitions in the June 3 Proposed Rules are likely to have on your operations and corporate export compliance programs, and to assist you with other export control issues as well. Our consultants frequently work with ECS clients to review their current classification policies and procedures, conduct large-scale or multi-national classification projects, train employees in navigating complex reporting and recordkeeping requirements, discover ways to enhance and streamline administrative processes, and more effectively implement internal compliance audits and assessments. As America’s premier trainers and consultants in EAR and ITAR compliance, we can help you make sure that your company maintains full compliance with the changing Commerce and State Department regulations.

Question: Is there any reason that our company can’t use a cloud storage service provider, such as Dropbox, Google Drive, Box, or Microsoft Office 365, to store and share export-controlled information and technical data? Most businesses are using the cloud these days. Are there any problems with this?

The simple answer is, Yes, there are problems. Serious ones. Uploading your ITAR-controlled technical data, or controlled technology subject to the EAR, to “the Cloud” while maintaining full compliance with U.S. export laws and regulations is very challenging, and carries with it a high risk of violations and penalties. As we’ll be explaining on this blog, regulatory changes appear to be on the way. In the not-too-distant future, U.S. companies may be able to use cloud computing and other online digital services, subject to certain encryption requirements, to transfer and store their unclassified technical data without the need to obtain licenses or other authorizations. Hope is on the horizon. At present, however—yes, there are problems.

Even though cloud computing is a rapidly advancing technology at present, with more and more businesses routinely using Dropbox, Google Drive, and similar online services, this has been—and still is—a confusing regulatory area for which State and Commerce have provided very limited guidance until recently. We’re glad that appears to be changing now.

Nevertheless—even after the long-awaited publication of new Proposed Rules by the DDTC and BIS on June 3 containing multiple clarifications and definitions, and even after the issuance of an interim rule by the DoD on August 26 addressing requirements for cloud computing services—it is still far from clear how exporters can be certain they are fully compliant with the EAR and ITAR and avoid inadvertent violations when uploading controlled data to the cloud. A storm of controversy continues to swirl around the subject of cloud computing, IT security, and export controls. Discussions between the defense industry, research universities, the legal community, and the regulatory agencies are intense and ongoing.

Until the dust settles on this, we recommend extreme caution in using any commercial cloud storage service for information storage and transmission when export controls apply. Without clear regulatory guidance, contracting with a third-party for transferring and storing your ITAR-controlled and EAR-controlled data and technology electronically may expose you and your organization to the risk of violating U.S. export laws, with severe penalties and consequences.

But my cloud service provider assures me that my data is absolutely secure—so secure that they themselves have no way to decrypt my files without my password, even if I asked them to.

Yes, Dropbox, Google Drive, Microsoft Office 365, and similar services offer a secure and convenient online environment for storing and sharing documents, and are widely used and trusted in industry for work collaboration, file sharing, and data maintenance. And it is true that they typically provide multiple security precautions, including using SSL for transmitting content and their own separate layer of AES-256 bit encryption server-side.

Nevertheless, even though these IT companies have strict internal security policies limiting access by their employees to their customers’ files, it is evident in many cases that user-data files stored on their servers are in principle accessible by their staff—which may include individuals who are not U.S. persons as defined by the ITAR.

Read the terms of your storage provider’s user agreement and privacy policy carefully. Those legal documents frequently include such warnings as the following: “If we are required to provide your files to a court or law enforcement agency, which we may do under the conditions set forth above, we will remove the encryption from the files before providing them to the authorized government officials.” You’ll also see various disclaimers of responsibility in case of data-security breaches, and statements indicating that the provider has a process in place for contingencies when their system is compromised. Some cloud storage providers claim in their promotional materials that your data is absolutely secure, but remember that what they advertise and what you agree to when you open an account are two different things.

The convenience, economy, and popularity of online services notwithstanding, the use of third-party providers for storing and sharing ITAR-controlled technical data remains problematic. Why?

Here’s one reason: U.S. export control regulations prohibit the unauthorized sharing of controlled technical data with non-U.S persons or foreign nationals, and also prohibit transactions with certain foreign individuals and states. This prohibition includes any form of sharing, including electronic “transmission,” and including even theoretical access to such data by IT administrators or employees who maintain the electronic data storage and transmission systems and who could potentially monitor them. Whenever you store or transmit controlled technical data via non-company servers, you are, in effect, sending your data through cyberspace on the back of a virtual postcard, and you are liable for any access to that data by unlicensed foreign nationals while it is in storage or transit—even if the access is unintentional, and even if you were not aware that the access was occurring.

Remember that commercial cloud computing and online data storage services are not U.S. defense firms; they are unlikely to have segregated systems to protect ITAR-controlled information from foreign-person access. Under the export regulations currently in effect—ignoring, for the moment, proposed revisions to the EAR and ITAR that are under consideration but haven’t been finalized—even high-level encryption is not an adequate security measure for protecting your company’s controlled technical data on non-company servers. Currently, transfer of the data to a server or network location outside the U.S. constitutes an “export” even if the data is encrypted. Furthermore, providing employees who are not U.S. persons, whether they are employed in the U.S. or at non-U.S. offices, with the ability to access ITAR-controlled data (even if they don’t actually access the data) may constitute an “export,” even if the data is protected by encryption.

Here’s another reason: using external providers of cloud storage and file-sharing services, such as Dropbox, Box, or Google Drive, for ITAR-restricted data is problematic because it is difficult or impossible to know where their servers are physically located (that is, whether they are in the U.S. or overseas), how they route data traffic (particularly during peak hours or off-times), or whether their security procedures are truly adequate all along the line to prohibit access to your data by foreign nationals. Most—if not all—cloud computing services routinely use a network of servers that extends beyond U.S. borders. In reality, you have no idea where your data is currently stored—and wherever that may be, it could change tomorrow. Yet any transfer of data from the user to a server outside the U.S., as well as any transfer of the controlled data between two foreign-located servers, constitutes a “transmission,” and thus an unauthorized export, according to current U.S. laws.

But didn’t all that change this year? I read in the news that BIS and DDTC have relaxed their rules now, in recognition of the growing popularity of cloud computing, and that the export regulations have been amended to permit cloud storage of ITAR and EAR data in certain circumstances. Did I hear you right? Are you telling me that’s not true?

You heard me right. That’s not true. Those amendments to the ITAR and the EAR you heard about have not been made—at least, not yet. Here’s what is true:

On June 3, 2015, both the Commerce Department and State Department published long-awaited proposals for revising the EAR and ITAR in order to provide security standards for the transmission and storage of ITAR- and EAR-controlled data and information. If these Proposed Rules are adopted and finalized, they could well represent an important step towards clarifying what exporters need to do in order to comply with U.S. export controls with regard to the transmission, storage, and “cloud” processing of export-controlled technical data, technology, and software.

Among other things, if the revisions proposed on June 3 are eventually adopted and published as final rules, transmitting or storing electronic data in a way that meets certain specified security standards will no longer constitute an “export” of the data, and therefore will not require a prior export authorization or be subject to some other restrictions. Specifically, the June 3 proposals from State and Commerce both say that sending, taking, or storing technical data, technology, or software will not be considered an export when the following conditions are met:

(1) The data must be unclassified;

(2) The data must be secured using “end-to-end encryption” (as defined in the proposed new rule);

(3) The data must be secured using cryptographic modules compliant with a certain encryption standard—FIPS 140–2, or its successors [in stating this condition, the BIS proposal adds the phrase “or other similar cryptographic means,” whereas the DDTC doesn’t wish to add that phrase]; and

(4) The data must not be stored in certain prohibited countries [for the BIS, this means the server locations can’t be in countries listed in Country Group D:5 (see Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation; for the DDTC, this means no data should be stored on servers situated in ITAR Section 126.1 Proscribed Countries or in the Russian Federation].

At first glance, these proposed changes look very hopeful. By providing clarity and legal certainty in this regulatory area, they promise to simplify the compliance process greatly. If implemented, these provisions could offer U.S. companies the option of using the new cloud technologies for transmitting and storing export-controlled data without the risk of export violations, as long they exercise due diligence to ensure that those data security requirements are met.

On closer examination, however, there are some notable caveats in these Proposed Rules:

(1)        Both proposals make it clear that if information should be “released” that permits foreign persons to access your encrypted controlled data (e.g., decryption keys, network access codes, passwords, etc.), then this data transmission or storage will be considered an export, and will be subject to all applicable licensing requirements and restrictions—and penalties for export violations.

(2)        To qualify for this exclusion, your transmission or storage must utilize “end-to-end encryption.” In both the State and Commerce proposals, this means that cryptographic protection of the export-controlled data must be continuous and uninterrupted between the originator and the intended recipient (who could be the originator himself, in the case of simple file storage or archiving). At no point in the process can access in unencrypted form be given to any third parties. That includes internet service providers (ISPs), application providers (such as Microsoft Office 360 or Google Office), or cloud storage providers (such as Dropbox or Box), or any other online services.

(Note: BIS and DDTC are insisting on this condition because they are have found that the methods and procedures currently used by third-party digital service providers, including popular cloud software providers and some e-mail services may allow the data transmitted to be encrypted and decrypted multiple times before it reaches its intended recipient. BIS and DDTC both believe this presents an unacceptable risk of unauthorized release. Keeping the data encrypted from start to finish is the simplest and surest way to minimize the possibility that a foreign cloud service provider or a non-U.S. person employee of a domestic cloud service provider will get access to your ITAR-controlled data or EAR-controlled technology or software in unencrypted form.)

(3)        To qualify for this exclusion, your export-controlled data cannot be stored on, or pass through, any servers in certain specified countries that pose significant national security risks, including the Russian Federation.

On the whole, the provisions in the June 3 Proposed Rules allowing the transfer and storage of properly encrypted technical data are good news for U.S. exporters and should be welcomed. These changes would allow controlled technical data originating in the U.S. to be stored in one or more countries outside of the United States without export licensing, provided the data has been properly encrypted and isn’t stored in arms-embargoed countries or Russia. The proposed security requirements are strict and would almost certainly create complications for the current business model of most cloud storage providers, forcing them to make some changes in the way they operate if they want to serve customers with EAR- and ITAR-compliance requirements. But the requisite changes would appear to be within their capabilities, and the potential benefits of the new rules—which include, among other things, considerably reduced administrative burdens for U.S. manufacturers and suppliers of defense articles and services— are great.

Remember, however, that until State and Commerce have finalized their proposed amendments, the current regulations remain in effect. Until they have been changed, we recommend using locally hosted applications for storing and sharing sensitive technical data. The pundits may well be right when they tell us that the future of data storage is in the cloud, but for now, if your data is export-controlled, the safest place for it is in-house.

There are other important regulatory changes in the works with the potential to impact cloud computing, IT security, and export controls. Next week we’ll look at a few of them. Sign up today for notifications of future posts—and join the discussion by sending your own questions about export compliance to “An EAR . . . to the ITAR.”