Is being a victim of a cyber attack an ITAR violation? With all the reported stories of foreign attacks on U.S. based companies in which technical data has been reported stolen, should the victim submit a Voluntary Disclosure?
Cloud computing is very popular, it is commonly used by both service and commodity providers but the ITAR does not explicitly discuss or address cloud computing. The issue is, if your company was a victim of cyber attack and technical data was accessed by a Non-U.S. Person, is that an export as defined within the ITAR? Lets look at it:
“§ 120.17 Export.
(4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or “
Because the cloud was used as the vehicle to transfer technical data, is a cyber attack a violation to 120.17(4)? Yes of course. The issue is, is the U.S. Person (your company) responsible and should you submit a VD?
It is obvious the company didn’t intend to be “hacked”, but there are some that are leaning toward the premise that your company is responsible for implementing an effective and robust set of systems and processes to protect against unauthorized access to Technical Data (i.e. your Technology Control Plan). With that premise getting some “legs” it may be time to look ad a VD, but consult your export compliance officers and counsel before deciding.