Etymology, particularly the Greek or Latin roots of words, aids our understanding in much the same way as root cause analysis does. The Greek word for disclosure is αποκάλυψη, transliterated to apokálypsi, or “apocalypse.” Nomen est omen. This came to mind while reading the pronouncements proffered by various agencies this year – each of which influences voluntary disclosures of export control violations.
What once was a practical and efficient avenue for industry to inform the cognizant agencies of possible violations appears to have become a byway littered with mines, thanks to proposed and final rules issued by the Directorate of Defense Trade Controls (DDTC) and the Department of Defense (DoD). As it presently stands, contractors interacting with export-controlled information could face ruinous consequences if they act too reflexively in addressing cybersecurity incidents and events.
DDTC Proposed Rule
Let’s start with DDTC – an agency within the Bureau of Political-Military Affairs of the Department of State, which promulgates (pursuant to the Arms Export Control Act1), administers and enforces the International Traffic in Arms Regulations (ITAR)2governing defense trade.3 DDTC encourages companies to voluntarily disclose4 potential ITAR violations and considers such actions a potentially mitigating factor in ITAR penalties. ITAR penalties, it ought to be emphasized, are fearsome in terms of both size and imposition. For example, a willfully false or misleading statement on a registration or license application could lead to a fine of $1 million, a 10-year prison sentence or both.5 Further, civil penalties for ITAR violations have been imposed on a strict liability basis (i.e., without any intentional wrongdoing whatsoever). It is, therefore, unsurprising that DDTC received in excess of 1,200 voluntary disclosures last year.
On November 28, the DDTC published a notice6 requesting comments (on or before December 28, 2016) regarding a fully electronic Form DS-7787 that would serve as the vehicle for the submission of voluntary disclosures of violations of the ITAR. Some of the more worrisome aspects of the departure from the prior, narrative-based paper filings include the addition of fields that require7 the registrant to:
1. name all individuals involved, and provide their addresses and contact details;
2. identify the root cause of the violation;
3. identify the number of violations; and
4. provide a discovery date.
The form must be certified by an empowered official under penalty of perjury. Disclosure of any of the enumerated items poses a problem, but companies ought to be particularly concerned about providing the names and addresses of the individuals involved.
By DDTC’s own admission, the proposed form is part of an “IT modernization project designed to streamline the collection and use of information” allowing DDTC “to more easily track and analyze submissions.” Indeed, the form requires information about “disclosures with substantially similar circumstances such that prior corrective actions should have prevented the instant violation; disclosures with the same or related fact patterns; disclosures submitted by other parties.” The foregoing ought to be well-considered given the potential that such statements may not only dismiss mitigation of penalties but instead also lead to aggravating factors that result in heightened penalties. The form allows for “notification of a third-party violation” if the submitter is reporting a violation for which it was not responsible. It follows that a submitter may also provide notification of a third party’s prior similar violations, if known. As discussed below, this should be cause for extraordinary concern to companies.
DoD Rule Requires Disclosure of Data Breach in 72 Hours
After it was several years in the making, on October 21, 2016, DoD issued its final rule8 imposing safeguarding and cyber-incident reporting requirements on defense contractors with IT systems that process, store or transmit covered defense information (CDI). Under the rule’s expanded view of CDI, “export-controlled data” has been expressly adopted from the National Archives and Records Administration’s Controlled Unclassified Information (CUI) Registry to mean:
Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.
Notably, this is a rather broad definition for what constitutes export control data. In fact, the application of what constitutes export control data under the DFARS regime is limited only if it is “(1) marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” In other words, if the contractor possesses other information that is export controlled but was not “provided to the contractor by or on behalf of DoD in support of the performance of the contract” or “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract,” that information is not CDI, and its breach need not be reported.
To comply with the CDI safeguards, contractors must implement NIST SP 800-171 controls no later than December 31, 2017, pursuant to DFARS 252.204-7008. Contractors must also be prepared to preserve and protect images of all known affected information and systems for at least 90 days from reporting and provide DoD access to additional information or equipment necessary to conduct a forensic analysis. The data breach or cyber incident must be reported within 72 hours of discovery via the Incident Collection Form (ICF),9 regardless of the fact that contractor may not have all the information required by the form. Among the information sought on the ICF is the “type of compromise (unauthorized access, unauthorized release (which includes inadvertent release), unknown, not applicable).” Thus, within 72 hours of discovery, a contractor is required to report to DoD, inter alia, its unauthorized release, albeit inadvertent, of export-controlled data.
DoD Proposed Rule Would “Disqualify” Contractors With Export Control Violations
In the foregoing paragraphs, we’ve described DDTC’s and DoD’s respective disclosure paradigms concerning export control violations. It’s worthwhile noting that senior DDTC officials have stated publicly that everything DDTC does is coordinated with the Defense Technology Security Administration (DTSA). Indeed, DTSA is DDTC’s conduit to DoD. One infers that DDTC ought to have known that on October 31, 2016, DoD would issue a proposed rule titled “Withholding of Unclassified Technical Data and Technology from the Public Disclosure”10 (with public comments due on or before December 30, 2016). According to DDTC, the proposed rule took them by surprise. Truly, it surprised all of us.
By way of background, to receive technical data associated with DoD procurements, government contractors must, inter alia: (1) complete a DD 2354 Military Critical Technology Agreement with the U.S.-Canada Joint Certification Office, (2) mark and treat export-controlled information associated with DoD programs in accordance with various DoD directives,11 and (3) certify their compliance with U.S. export control laws. The proposed rule on “Withholding of Unclassified Technical Data and Technology from the Public Disclosure” states that when the DoD receives “substantial and credible information” that a qualified U.S. contractor has violated U.S. export controls, violated its certification, made a certification in bad faith, and/or omitted or misstated a material fact, DoD would temporarily revoke the contractor’s ability to access export-controlled technical data and technology. The temporary revocation becomes a disqualification unless the contractor rebuts the “substantial and credible information” underlying the revocation within 20 days.
DDTC has encouraged those in the industry to submit comments. Here, we propose the following concerns be raised during the comment period:
- First, the DoD must clarify whether a contractor’s submission of a voluntary disclosure to DDTC, BIS or the National Security Division of the Department of Justice is “substantial and credible information” that may result in the temporary revocation of its right to receive controlled technical data from DoD.
Second, would DoD’s own requirement to report a data breach be treated as substantial and credible information if the breach were an unauthorized release of export-controlled data?
Third, would a third-party disclosure to DoD of such a breach be considered substantial and credible information of export control violations?
Fourth, how would DoD treat past voluntary disclosures of export control violations given that settlement agreements with cognizant agencies are publicly available and are replete with admissions of export control violations?
Fifth, does DoD actually think that any contractor, regardless of size, is able to conduct a meaningful investigation and provide a rebuttal within 20 days of discovering the substantial and credible information?
Will There Be Any Contractors Left to Perform the Contracts?
The cognizant agencies have a vested interest in encouraging industry to voluntarily disclose potential export control violations. Voluntary disclosures are very often a result of a contractor’s well-honed compliance program; i.e., if the compliance program weren’t vigorous, there would be no discovery and disclosure of the violation. The existing voluntary disclosure paradigm transfers the bulk of the investigative burden onto industry itself, often providing useful learning opportunities for both the contractor and the government. Industry engages with the cognizant agencies on a level plane, offering real-world penetration scenarios that enhance the government’s predictive ability. The paradigm is more efficient and more effective than if DDTC and BIS, for example, had to build enforcement arms to police and prod industry.
Industry and its counsel do not make disclosures casually; they must be done correctly. Forcing industry into a corner by (1) mandating disclosure of information that opens up other potential avenues of liability and (2) limiting discovery and rebuttal to unreasonable timelines will likely lead to fewer disclosures or result in incomplete and therefore invalid disclosures. Given the concerns raised by the proposed rules, industry must tread carefully and involve outside counsel in all aspects of investigation and disclosure of potential export control violations. More importantly, the opportunity to effect meaningful change during the comment period is fleeting.