Are You Doing Everything You Should to Protect Your Technical Data

Written by jon rydberg

|

February 12, 2015

|

0 comments
(Download) By Jeffrey G. Grody If you are a manufacturer of firearms, components, ammunition or accessories, you are most likely in possession of ITAR-controlled technical data, either your own, a third party’s or both. Technical data consists of the drawings, engineering files and other information used in the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of most firearms, components, ammunition and certain accessories. The International Traffic in Arms Regulations (ITAR) prohibit technical data from being transferred to a “foreign person”—someone other than a U.S. citizen or holder of a “green card”—without an export license, but unauthorized transfers of technical data can occur casually and accidentally. Transfers of technical data occur when data is given, shown or explained to someone else, when someone else works with the data, or even simply sees it.  If that someone else is a foreign person, an export has occurred. Experience teaches that even conscientious DDTC registrants can let their guard down in certain common situations, creating opportunities for technical data to be inadvertently “exported” to foreign persons without the registrant’s knowledge, consent. . . . .or an export license. Let’s take a look at three areas of concern and practical fixes that can be applied. Technical data you give to vendors. The area receiving the most attention today from companies that want to improve their export compliance programs relates to drawings, engineering files and other technical data that are given to vendors. The problem here is that you have responsibility for the technical data you put in the possession of a third party, but the information is out of your control.
  • Potential problems.
    • Vendor has no export compliance program, doesn’t know that technical data is subject to ITAR or what that means.
    • Vendor has foreign person employees who are authorized by visa to work in the U.S. but who are foreign persons for ITAR purposes.
    • Vendor sends the technical data to sub-vendors with no protection regarding export compliance; sub-vendors may even be outside the U.S. Employees, directors, temporary employees and contract workers. An area that does not receive the attention it should but which is rife with opportunities for unlicensed exports of technical data relates to members of an ITAR-registrant’s “family” of personnel who are not U.S. citizens but who may be exposed to technical data as though they are.
Employees, directors, temporary employees and contract workers. An area that does not receive the attention it should but which is rife with opportunities for unlicensed exports of technical data relates to members of an ITAR-registrant’s “family” of personnel who are not U.S. citizens but who may be exposed to technical data as though they are.
  • Potential problems.
    • Company has no policy or control to ensure that HR notifies the export compliance function of new foreign-person employees who are hired (i.e., individuals with an appropriate work visa).
    • Visiting employees of company’s foreign division or subsidiary are given detailed tours of factory where defense articles are being produced with detailed explanations of the processes used.
    • Certain members of company’s board of directors or representatives of a foreign parent company are not U.S. citizens but they are nevertheless given detailed tours of factory, receive detailed reports from engineers regarding the production of defense articles and in every other respect are treated the same as their counterparts who are U.S. citizens.
    • Non-U.S. citizen college students are hired as summer interns to assist engineers with projects involving design of defense articles.
    • Temporary employees are hired from staffing agency that affirms they are authorized to work in U.S. but which doesn’t identify employees authorized to work in U.S. only by visa.
    • Company unknowingly engages non-U.S. citizens as “independent contractors” because it has no process to confirm citizenship of non-employees.
    • Senior company officials give tours and briefings to anyone they choose, including foreign visitors.
Outside vendors who enter your facility. Think about the contractors who enter your facility over the course of a year and who may be exposed to technical data. In your factory there are any number of machinery service technicians, CNC machine programming consultants, environmental consultants, insurance auditors, and a host of others who are there at one time or another. For some of them, e.g., CNC machine programmers and service techs, exposure to technical data is likely to be an integral part of the reason they are in your facility in the first place. On the administrative side of your business, think about IT consultants who may be exposed to technical data in your IT systems. If you are careful, you may routinely put non-disclosure agreements in place with these contractors before you let them inside. But, do you know the citizenship of each individual on their teams?
  • Potential problems
    • The company from which you bought a new piece of robotic manufacturing equipment is helping you set it up for production as part of the purchase contract. The set-up team includes representatives from the manufacturer in South Korea.
    • You use an outside maintenance service for daily cleaning and maintenance of your facility. Their duties includes cleaning the engineering department, where engineers routinely leave their pending projects on top of their desks, and the office of the COO, who likes to put the latest product designs on his walls. Do you know whether the maintenance contractor’s employees are U.S. citizens?
    • Your company is guarded at night and on weekends by an outside security firm, whose employees walk the entire, empty premises over and over as part of their jobs.If they could be exposed to technical data while they walk around are they U.S. citizens?
Fixes. Here are some practical measures you can take to reduce the likelihood that your company will go astray in these areas:
  • Train, train, train. Training alone will not fix every compliance problem, but with the problems described above, it can help a lot. If your employees receive good, annual ITAR-compliance training, you can count on at least a few of them spotting some of these issues and speaking up. These situations also illustrate the importance of empowering your employees to let someone know when they see something going on that is inconsistent with their training.
  • Senior management leadership. Most, if not all, of the problems cited above involve matters that “fall through the cracks” in the interface of multiple company functions. Making sure things don’t fall through cracks at the interface of company functions is the job of senior management.If they let employees know that they take export compliance seriously and ensure that appropriate controls are instituted, the problems described here are much less likely to happen.
  • Vet all vendors and contractors. Some companies have instituted rigorous procedures to vet all vendors and contractors to confirm that the people who will potentially be exposed to their technical data are U.S. persons (and not on any “denied parties” list) and to fashion ITAR-appropriate solutions in other instances. Also, some companies ask vendors and contractors to confirm in writing that they have ITAR compliance programs in place or take other measures to ensure that an ignorant or under-informed contractor or vendor will not allow their technical data to be “exported.”
  • Institute controls. As important as training is (we list it first here for a reason), training alone is often not enough to prevent unintentional exports of technical data. You want to think about clear, written policies to address the situations described here and others like them and you also want to think about checks in your company systems to ensure that failures to follow policy are caught before a problem develops.
Are you reading things here that sound like your company? Our point is not that foreign persons can’t have anything to do with your business, just that an appropriate license needs to be in place before they exposure to technical data occurs. Consider an ITAR-compliance assessment as the first step in identifying the aspects of your compliance program that should be improved. You can’t fix all the problems until you know where they are. A systematic assessment allows you to direct your attention where the problems really are. If you need help with this, please contact us.   Contact Us Today

0 Comments