Under the ITAR, technical data includes any information “required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification” of a firearm and most ammunition. This information can take many forms, including written, electronic, visual, oral, video or other recording. Under the ITAR, providing technical data to any non-US citizen (other than a lawful permanent resident and certain refugees), is deemed to be an “export” to the recipient’s country of citizenship and the party doing the providing must obtain an export license first. But how can a firearms manufacturer, wholesaler, or retailer know for sure when foreign parties are the ones on the receiving end? There are some key areas in which best practices should be exercised to prevent unlawful “deemed exports” of technical data.
1. Hiring Practices
In the United States, a job applicant who is not a U.S. citizen need only be in possession of an appropriate visa or other work authorization to be legally employable. This is usually indicated on a new hire’s I-9 form. For any company in the firearms industry, a work visa and a completed I-9 are not enough, however, if the individual will be exposed to technical data in the course of employment. If you want to hire a non-US citizen who does not have a “green card”, even on a contract basis or through a temp agency, you’ll need to get an export license from the State Department if the individual will be exposed to firearms or ammunition technical data.
One place where firearm manufacturers can miss a potential problem if they aren’t careful is with off-site contractors who visit their facility to perform routine services. The new data entry team that was vetted only by a temp agency, the building maintenance crew, the overnight cleaning crew, the third-party security guards, the people who service the vending machines, and most other contractors who provide services at your facility, can all include foreign nationals working lawfully in the US. The problem is that most firearm companies have technical data in many places in their facilities. Without proper procedures, foreign persons working for your contractors can gain access to or be exposed to it. You should coordinate with your contractors to ensure that the people they send to your facility are US citizens or holders of “green cards” if their work could expose them to technical data. Companies that employ best practices have good standard operating procedures in place to control this risk.
3. Front Door Security
The gates and doors to your facility (including shipping and receiving docks and emergency exists) are critical bastions in your program to prevent the unauthorized exposure of technical data to foreign persons. Let’s start with your front gate or door. Vendors, customers, collaborators, guests, investors, and potential partners may come to your facility from all over the world, and that’s a good thing. But if they are going to be exposed to technical data during their visit, you need to ask whether they’re US citizens or lawful permanent residents (holders of “green cards”). Doing this can be as simple as adding a column to your visitor sign-in sheet that asks for citizenship. Foreign nationals should wear a different color badge than “US persons,” they should be escorted at all times and kept away from areas that could expose them to technical data, you should retain a copy of their passports and you should conduct a denied party search and clear them before granting access.
As for other doors and gates, your plant security system will be as strong as its weakest link. There should be controls in place for every door or gate to prevent subversion of the front door security program. In addition, your management team and employees need to know what the rules are and the reason for them so they respect and comply with the program.
4. Factory Floor Rules
In many firearm and component manufacturing facilities, there’s a way to give foreign visitors a factory tour that does not expose them to technical data. Start by using ITAR-trained escorts to lead the visitors and keep them in the main walkways (many factories denote these with yellow lines for OSHA purposes). Visitors shouldn’t be allowed close enough to machines to study the fixtures and they should be kept away from work tables with gages, quality records, work instructions and the like. No unsupervised conversation should take place with machine operators and no technical data should be discussed. Work instructions and process sheets should be positioned so they are not visible from the main walkways. No photos—obviously. Do a walkthrough yourself prior to the visit to make sure no technical data is visible. Oh, and, unless you have a license, don’t take foreign visitors (even owners and investors) into the rooms where the engineers and quality control people work to show them your expensive new measuring equipment or the schematics for the next generation firearm the company is working on.
Every factory is different and sometimes it is not possible to shield technical data from the casual visitor. Assess the situation well in advance of visitors’ arrival. Allow time to obtain a license if the visit will involve exposure to technical data.
5. Digital Data
These days, lots of technical data exists in digital form. Storing and transmitting that data is fraught with the potential for unauthorized exposure to foreign persons. For instance, storing technical data in commercial “cloud” services, such as Dropbox, iCloud, and OneDrive, is not currently permitted and neither is transmission of technical data by normal commercial email, even in encrypted form. Why? The problem is that the “cloud” can include servers outside the US and commercial email services can channel traffic through foreign countries. These services are also insufficiently secure to prevent access by unauthorized foreign persons to stored or transmitted data.
This doesn’t mean the ITAR isn’t permitting you to operate in today’s electronic world. It just means that employees need to know what can’t be done and the IT department needs to help find compliant solutions that work for your company, such as use of ftp sites, sending disks by courier, and “ITAR compliant” cloud solutions (as long as you make sure their system really is ITAR compliant).
The bottom line: When it comes to protecting firearm and ammunition technical data against unauthorized “deemed exports”, there is no substitute for good employee training and tight, written procedures. This is a place to be proactive in your compliance program. Ten thousand dollars spent today on training employees and instituting good procedures in these critical areas can help you avoid spending five times as much (or more) addressing the consequences of a serious ITAR violation.