What’s Up in the Cloud: The Potential Violation of Export and Sanctions Laws

The cloud creates potential dangers when combined with export control laws that regulate the export of technical data and software

Timothy P. O'Toole
Timothy P. O'Toole

One of the biggest technological advances in the past decade is the widespread use of cloud computing services to store electronic information. Cloud computing vastly improves network storage capabilities by allowing on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Whether applied to internal human resources software or an email system, cloud computing both increases efficiency and reduces information technology costs.

One of the primary advantages of the cloud is that data can be dispersed across servers located anywhere in the world—this means that companies choosing to use the cloud do not need to ensure that they have sufficient server space to store more and more data as their electronic footprint continues to grow. But the manner in which the cloud transcends boundaries also creates potential dangers when combined with the export control laws, which carefully regulate the export of technical data and software, and which take national borders very seriously.

What happens, for example, if a cloud user stores regulated technical data in the cloud and the servers holding that data are located overseas? What happens if the servers are located in a country that is facing U.S. economic sanctions? Were the export or sanctions laws violated? What if the company encrypted the data before placing it in the cloud? What if the cloud provider uses employees located overseas? What if the company simply did not know where the servers were located?

These are just a few of the many questions facing U.S. companies that handle regulated data and software, yet have significant business reasons to avail themselves of cloud computing services to store electronic information. At the current time, unfortunately, these questions have very few easy answers, as U.S. regulators provide very little guidance on the subject.[1] It was reported, however, that in the coming months, regulators may be providing guidelines for use of cloud computing services and that guidance is likely to emphasize the importance of:

  • Encryption of the regulated data or software from end to end.
  • Meeting a set of uniform encryption standards.
  • The prohibition of any storage of regulated data in certain countries (most likely those countries facing U.S. sanctions and, perhaps, China and/or Russia as well).

In the meantime, it is important for any company that handles technical data or software subject to U.S. export control restrictions to ensure that it is carefully considering, before placing sensitive data in the cloud or choosing a particular type of cloud service, the following factors:

  • Whether the data should be encrypted before it is stored.
  • Whether regulated data can and should be segregated from non-regulated data.
  • Whether any of the cloud provider’s servers are located outside the United States.
  • Whether the servers are potentially located in embargoed or sensitive countries.
  • Whether anyone with authorized access to the data (including company employees, cloud provider employees, any subcontractors, etc.) are located overseas.
  • Whether the cloud provider’s security and oversight policies ensure communication with the cloud user through every step of a potential security breach.
  • Whether the cloud provider sufficiently encrypts data both at rest and in transit.
  • Whether sufficient steps were taken to ensure that the data cannot be accessed by others overseas.

Only by carefully considering all of these factors, and potentially incorporating many of them into any contracts with cloud service providers, can companies ensure that they are not inadvertently violating U.S. export controls laws.

[1] Regulators issued a handful of non-binding advisory opinions, which themselves were limited to fairly unique circumstances.