The US government recently fined California-based technology company Barracuda Networks Inc and its wholly owned UK-based subsidiary Barracuda Networks Ltd more than $1.5 million for transactions relating to sales and servicing of equipment and software to Iran, Syria and Sudan. The products at issue (web filters, link balances, firewall products and server backup software) can be used to block or censor internet activity. The Department of Commerce Bureau of Industry and Security (BIS) announced a $1.5 million civil penalty and the Department of the Treasury Office of Foreign Assets Control (OFAC) announced a $38,930 settlement relating to the alleged violations. Barracuda voluntarily disclosed the alleged violations to the government.

This case highlights the importance of:

  • maintaining a robust sanctions compliance programme;
  • screening available customer information, including IP addresses; and
  • monitoring third-party distributors' activity with respect to sanctioned countries and blocked persons.


On 26 occasions from April 2009 to April 2012, Barracuda sold products to parties in Iran and Sudan and to specially designated nationals (SDNs) in Syria, knowlingly in violation of the Export Administration Regulations and therefore in violation of General Prohibition 10 of the regulations. On 11 occasions Barracuda's UK subsidiary also sold or serviced devices of US origin in Iran and Syria – also in violation of General Prohibition 10.

Settlement determination

The BIS attributed the significant penalty that it imposed to Barracuda's knowledge of the actions leading to the alleged violations. OFAC considered the following facts in determining its settlement amount:

  • Barracuda had no sanctions compliance programme in place and provided no training to employees regarding export controls and sanctions;
  • Barracuda knew or had reason to know that:
    • distributors and resellers sold products and updates to SDNs and customers in sanctioned countries;
    • it was exporting goods, technology and services to Iran and Sudan (ie, because customers contacted it using IP addresses associated with those countries and it did not screen the IP addresses); and
    • it was exporting technology to SDNs in Syria (ie, because the names of the SDNs were listed on the sales invoices); and
  • The nature of the technology sold, which has the ability to block or censor internet activity, could have caused significant harm to the objectives of the US sanctions programme.

Many of these factors relate to failings in Barracuda's sanctions compliance programme. It is telling, therefore, that OFAC considered Barracuda's remedial actions – including establishing a sanctions and export controls compliance programme, creating an office for trade compliance and hiring a general counsel with subject matter expertise – along with the fact that it voluntarily disclosed the alleged violations, as mitigating factors in determining the penalty amount.

Even if the July 2015 nuclear deal with Iran is implemented in 2016, the primary sanctions and export controls at issue in this case will remain in full force and effect.

For further information on this topic please contact Andrew W Shoyer, Robert Torresen or Barbara Broussard at Sidley Austin LLP by telephone (+1 202 736 8000) or email (, or The Sidley Austin LLP website can be accessed at

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.