The U.S. government recently fined a California-based technology company, Barracuda Networks, Inc. (Barracuda), and its wholly owned, UK-based subsidiary, Barracuda Networks, Ltd., more than $1.5 million for transactions relating to sales and servicing of equipment and software to Iran, Syria and Sudan. The products at issue (e.g., Web filters, link balances, firewall products and server backup software) can be used to block or censor Internet activity. The U.S. Department of Commerce Bureau of Industry and Security (BIS) announced a $1.5 million civil penalty, and the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) announced a $38,930 settlement relating to the alleged violations. Barracuda voluntarily disclosed the alleged violations to the government.
This case highlights the importance of maintaining a robust sanctions compliance program; screening available customer information, including IP addresses; and monitoring third-party distributors’ activity with respect to sanctioned countries and blocked persons.
On 26 occasions from April 2009 until April 2012, Barracuda sold products to parties in Iran and Sudan and to Specially Designated Nationals (SDN) in Syria, with knowledge of a violation of the Export Administration Regulations (EAR) and therefore in violation of General Prohibition 10 of the EAR. On 11 occasions, Barracuda’s UK subsidiary also sold or serviced devices of U.S. origin in Iran and Syria, also in violation of General Prohibition 10.
BIS attributed the significant penalty to Barracuda’s knowledge of the actions leading to the alleged violations. OFAC considered the following facts in determining the settlement amount:
- Barracuda did not have a sanctions compliance program in place and did not provide training to employees regarding export controls and sanctions.
- Barracuda knew or had reason to know that distributors and resellers sold products and updates to SDNs and customers in sanctioned countries.
- Barracuda knew or had reason to know that it was exporting goods, technology and services to Iran and Sudan because customers contacted Barracuda using IP addresses associated with those countries, and Barracuda did not screen the IP addresses.
- Barracuda knew or had reason to know that it was exporting technology to SDNs in Syria because the names of the SDNs were listed on the sales invoices.
- The nature of the technology sold, which has the ability to block or censor Internet activity, could have caused significant harm to the objectives of the U.S. sanctions program.
Many of these factors relate to failings in Barracuda’s sanctions compliance program. It is telling, therefore, that OFAC considered Barracuda’s remedial actions — including establishing a sanctions and export controls compliance program, creating an office for trade compliance and hiring a general counsel with subject matter expertise — along with the fact that it voluntarily disclosed the alleged violations, as mitigating factors in determining the penalty amount.
Even if the July 2015 nuclear deal with Iran is implemented in 2016, the primary sanctions and export controls at issue in this case will remain in full force and effect.