Data and voice encryption technologies are ubiquitous today, enabling secure communications that protect consumers and businesses from hackers and eavesdroppers in a digital world. Encryption's proliferation is spurring new regulations for business travelers and corporations, however, as governments around the world balance complex privacy and national security issues with global commerce and the relentless spread of technology. Crossing borders — whether in-person or online — while unaware of these rules can risk serious penalties for noncompliance. In this Q&A, Pillsbury International Trade attorney Sanjay Mullick, who advises clients on export controls and technology transfer issues, explains factors heightening these cross-border encryption sensitivities. He offers recommendations for stakeholders seeking to comply with laws and mitigate the risk of business disruptions.
Q. Encryption tools have historically been subject to regulations, what has changed?
Mullick: Many nations have historically placed export controls on "outbound" encryption technologies produced by their domestic industries, motivated by a desire to keep technology away from potential adversaries. Assigning and managing these controls was arguably simpler when the ranks of encryption providers and customers were fewer and the methods for their distribution more limited.
However, in today's digital world, anyone with a Web browser can download almost any kind of software available. It is fundamentally more challenging to govern "who" can use "what".
A key example is the emergence of laws in multiple countries restricting the use or importation of encryption software, or imposing "inbound" controls. These can be triggered whether encryption will be sold or used internally and regardless of whether the technology enters the country physically or through "intangible" transfer, such as via the Internet. Just as businesses have always monitored their native countries' laws on technology exports, now global corporations have to understand these foreign laws as well.
Q. Where are these new laws having an immediate effect?
Mullick: Across our firm's offices in the US, UK, Asia and elsewhere, more large, multi-national clients are contacting us because they have a specific set of business-critical software and hardware systems utilizing encryption that must be deployed across all their offices in order to conduct operations and communicate among their affiliates within the corporate family. Increasing concerns about data security worldwide are accelerating this development. We help them understand and comply with various countries' applicable regulatory controls. Compliance is crucial – not only for timely market access but also for avoiding costly business disruptions that an enforcement action could cause.
Countries regulating encryption generally fall into three categories. Some, such as China and Russia, apply rigorous controls on such technology and require prior approval both of specific products and how they will be used. Other countries, for example France, Israel and South Africa, might not seek to restrict the technology per se, but do require advance authorization or declaration before encryption enters their borders. Finally, there are countries with minimal encryption regulatory controls. There can be exceptions in instances where encryption is limited for personal use, but eligibility must be checked carefully.
Q. Why the heightened sensitivity and new laws?
Mullick: First, encryption is everywhere today. It used to be confined to more exotic IT systems, but now it is embedded in everything from e-mail and secure Web-based software, which corporations increasingly favor, to handhelds and even portable hard drives which frequently have an encryption option. As encryption technology has evolved to become "better, cheaper and faster," it has seeped into everyone's home, office and briefcase, making it even harder to confine or monitor.
Second, the rash of data breaches we keep witnessing in the news — frequently due to lost or stolen hard drives, laptops or data theft by disgruntled employees — has propelled specific language in recent "anti-breach" laws enacted by US states, the EU and others. Many of these new laws specifically require adding encryption to any media holding confidential data, such as laptops and portable storage devices. Therefore, businesses are being forced to deploy encryption widely to meet government mandates, even as governments are simultaneously trying to restrict the same technology's reach.
Q. What are some implications here that should concern business?
Mullick: Businesses should worry about the potential inspection or seizure of their IT assets by Customs or other authorities looking for unauthorized technology. Each of us, for example, carry an immense amount of confidential data in our BlackBerry, laptop or other personal devices — from attorney-client correspondence to proprietary business data. If any devices containing these were to be seized, companies would have to assume they were effectively "compromised" and initiate everything from time-consuming password and account resets to costly and embarrassing breach notification procedures. Depending on the nature of someone's employer - if they held US government contracts, for example, or were accountable to healthcare privacy laws — there could be even greater — and costlier — repercussions, from fines to litigation.
As with many regulations, the impact ultimately depends on the level of enforcement. Encryption technology can be hard to spot and can also be transferred intangibly. However, we have recently seen efforts to enhance border personnel training and awareness in this area, to increase coordination between the encryption authorities and enforcement authorities. Also, companies doing business in a country can be subject to an audit, by which the government may seek to verify compliance. So, businesses cannot assume enforcement is unlikely or even that, if a good or software with encryption successfully gets into the country, that the issue goes away.
Q. What recommendations do you offer affected travelers and global businesses?
Mullick: First and foremost you have to protect your data, and that requires hard analysis of where it is and who requires legitimate access. Since possession of encryption technology is the issue, and since encryption usually accompanies sensitive files, businesses need to reevaluate whether they have this data confined to those workers who legitimately need it on their person or in their remote office. For example, many firms are adopting secure Web-based applications for sensitive systems, which replace the need for multiple copies of sensitive data to exist across the enterprise; workers log-in to access a single, secure copy instead.
Device management is another important concern, many business travelers tend to blur the lines between "work" and "play" with gadgets they carry. They may place corporate data on a personal phone or iPod, or install third-party software they prefer on a work computer. Management needs to have good IT policies in place that establish what kinds of devices and software are permitted for official use and fit their global compliance posture. It is impossible to comply with varying cross-border laws when you are uncertain what your travelers use.
Of course, good policies and enforcement help prevent data breaches and other security threats in the first place, cross-border compliance issues notwithstanding.
Finally, it helps to keep a "big picture" view of your enterprise IT systems and where they cross borders. CIOs like "enterprise-wide" systems, not disparate software for each country their company touches. This is where cross-border technology regulations can become especially daunting because it means, for example, that every piece of encryption software has to be approved in every single country. Depending on how the enterprise is organized (e.g., through regional servers supporting a global network), you may find that the movement of software across the network triggers export control and import control issues in multiple jurisdictions. In fact, those issues may help drive how the enterprise is organized and how information flows through it.
Because of all the benefits it brings, one would like to be able to anticipate that technology will always be desired globally and therefore be able to spread relatively unfettered in the interests of innovation and commerce. While much of that may be true, companies need to be mindful of technology trade controls which can pose significant risks for organizations operating in international markets.