On February 14, 2014, the U.S. Commerce Department’s Bureau of Industry and Security (BIS), Office of Export Enforcement, announced a $115,000 settlement with California-based Intevac, Inc. Intevac makes equipment and products for the hard disk drive, solar, and photonics industries. The company’s settlement with BIS stems from five technology-related violations of the Export Administration Regulations (EAR), and provides an informative case study on a particularly perilous compliance area.

 According to the charging letter against Intevac, between January and May of 2007, the company gave a Russian national employee, an engineer, a login identification code and password that allowed him to access its computer network server. Both the engineer and the server were located at Intevac’s Santa Clara, California headquarters. Through his login credentials, the engineer could view, print, and create attachments from drawings (including blueprints) for parts related to a product used in hard disk drive manufacturing. Unfortunately, these drawings turned out to be classified under Export Control Classification Number (ECCN) 3E001 as development and production technology related to equipment controlled for export under the Commerce Control List’s Category 3. “Development and production technology” here means that the drawings are specific information necessary to develop and produce controlled electronics. As such, the drawings themselves are controlled for export for national security reasons.

Interestingly, BIS found that identification numbers for the relevant parts also constituted 3E001 technology in this case. They, too, are therefore controlled for export for national security reasons. Whether the part numbers would have been controlled in isolation, or are only controlled when placed in context with more substantive information like drawings, is an open question. Regardless, in this instance, BIS explicitly identified the part numbers as among the 3E001 technology to which the Russian employee had access. 

This is where the EAR’s “deemed export” rule comes into play. Under the EAR (and other U.S. export control regimes, including the International Traffic in Arms Regulations), transferring technology to a foreign national is considered an export to that foreign national’s home country, even if that person is physically present in the United States. The transfer need not be direct, or even actually occur; simply providing a foreign national with theoretical access to technology is sometimes sufficient to create a constructive transfer constituting a deemed export. Thus, under the EAR, releasing technology to a Russian national who happens to be in Santa Clara, California is considered an export to Russia. And if that technology happens to be controlled for national security reasons – as 3E001 technology is – then exporting it to Russia by any means requires a license from BIS. Intevac didn’t have one when it granted its Russian engineer access to the server containing the controlled drawings. Consequently, it violated the EAR in a manner that could easily be attributed to an honest mistake.

The company’s next string of violations is not so easily explained away. At some point after Intevac released the controlled technology to the engineer, someone at the company realized that doing so without a license from BIS was illegal. On June 5, 2007, Intevac sought to ameliorate the situation by reporting the unauthorized release to the agency and applying for a deemed export license to allow the employee to access the controlled drawings. BIS granted that license three months later. Between submitting the license application and receiving the license, however, Intevac released the same technology to the same engineer on three separate occasions, thus committing three more unlawful deemed exports. In BIS’s estimation, Intevac committed these violations with knowledge that its conduct was prohibited. This was an aggravating factor in the case, and probably accounts in large part for the six-figure penalty amount.

In large part, but not exclusively. What came next didn’t help matters.

Intevac maintains a presence in several Asian countries, one element of which is a subsidiary, Intevac Shenzhen Company Ltd., in China. On May 21, 2010, in a scene reminiscent of the misstep with the Russian engineer, someone from that subsidiary used a login identification code and password to access the Intevac server in Santa Clara and open a file attachment containing 3E001 technology. As with Russia, exporting 3E001 technology to China requires an export license from BIS. A Chinese national located in China accessing 3E001 technology stored in the U.S. constitutes an export to China, and this one, as before with the Russian employee, occurred without a license. And just like that, Intevac violated the EAR again.

Intevac ultimately disclosed all of its misdeeds to BIS, a move that always mitigates potential penalties. This was especially prudent in this case, given the potential penalties involved; in addition to the standard monetary fine ceiling amount ($250,000 per violation) and the risk of losing one’s export privileges and eligibility to do business with the U.S. government, knowingly violating the EAR also invites potential criminal sanctions for both companies and individuals. Taking that into consideration, a $115,000 settlement amount is a relatively favorable outcome. 

Now that the matter is fully resolved, we can extract from it one obvious observation and a roadmap of related export compliance best practices that Intevac obviously failed to follow. 

The obvious observation is that deemed exports are serious business. In a BIS press release about Intevac, Assistant Secretary of Commerce for Export Enforcement David W. Mills said that deemed export compliance is a top priority for the agency, and that the Intevac settlement “highlights the need for companies to be vigilant to prevent the unauthorized release of U.S. technology and data." 

So how does one do that? The process begins with properly classifying your company’s controlled products. That will allow you to then identify which data related to those items are controlled. This is not always a simple exercise, as not all information related to a controlled product is necessarily controlled. Working through the germane definitions and potentially applicable exemptions must be done with great care, lest the final control parameters be over- or under-inclusive.

After your company has identified its controlled technology, the next step is to conduct a risk assessment on potential release points. Does your company have foreign national employees, like Intevac’s Russian engineer? Do foreign counterparts have access to your U.S. server, as Intevac Shenzhen Company employees did? Are there IT controls in place to differentiate between users and regulate access to technology accordingly? Is everyone in the company who may generate or handle controlled technology – customer service representatives, engineers, purchasing managers – trained on how to do so in accordance with applicable export controls, whether those are the EAR, the International Traffic in Arms Regulations (ITAR), the Nuclear Regulatory Commission and Department of Energy export controls, or some combination thereof? With whom do your employees share information? Do your company’s vendors (outside machine shops, data storage providers, etc.) have foreign national employees, an export compliance program, and all the other compliance infrastructure mentioned above? These are all questions you must ask when assessing your company’s technology risk profile.

Once you have identified the risks, you can then formulate and implement policies, procedures, and IT controls to mitigate them. Collectively, the written policies and procedures will form your company’s Technology Control Plan, or “TCP,” which BIS expects all companies that deal with controlled technology to have. The penultimate step is training your employees on the company’s TCP so that they are prepared and able to follow it. Monitoring the company’s overall export management and compliance program and adapting it to evolve with the organization is the final step, and one that continues in perpetuity.

As you might imagine, very little of this is straightforward or easy. Complicated issues and hard questions arise at every turn.