A criminal complaint was unsealed in a Brooklyn federal court charging Aventura Technologies, a New York-based surveillance and security equipment company...
Are you ITAR compliant?
Keeping your data secure and compliant is getting more difficult as businesses become more software-driven. ITAR Guide was built to educate businesses on the data compliance requirements of ITAR and EAR, and to ensure they are taking the right steps in protecting themselves.Get Your Risk Report Today
Average Violation Fine in 2018:
Avg Violation Fine in 2018:
What is ITAR or EAR?
ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) are sets of compliance requirements designed to keep specific items and services out of the hands of foreign nationals.
These compliance requirements commonly apply to organizations involved in:
- Industrial & Machinery
ITAR specifically regulates the import and export of defense-related products, data and services that appear on the United States Munitions List. It typically applies to government contractors and subcontractors.
EAR is a parallel regulation focused on the commercial component of products, data and services. This applies to dual-use items appearing on the Commercial Control List, which are available for commercial sales and government use.
The penalties for violating ITAR and EAR are severe, as violators can be fined up to $1,000,000 per violation and up to 20 years of imprisonment. In 2018, the average total penalty was $2,889,373.
Yes, any contractors that come into contact with your sensitive data must adhere to ITAR and EAR as well. Keep in mind that physically shipping product or sending sensitive data to third-party contractors overseas is a violation.
Yes, you can still remain compliant while hiring foreign nationals as long as those employees are not able to access any sensitive data or the physical products that are subject to ITAR and EAR compliance.
No, using common email and phone services to store, receive, or send sensitive information is not ITAR or EAR compliant.
You must take special precautions when receiving, sending and storing sensitive data. For example, storing data on Google Drive is not compliant because contractors that are foreign nationals may be managing your data. The same goes for other third-party software applications you may use for business management, unless they are taking specific precautions such as hosting their servers on AWS GovCloud.
Even if you are storing your data locally, it may not be safe. You must be careful who accesses data via a desktop or laptop within your facility, and these devices cannot physically leave the country.
No, most popular third-party software applications like the Google suite of products, Airtable, or Dropbox are not ITAR and EAR compliant.
Yes, you can store data on the cloud and remain compliant with ITAR and EAR, however you must be careful about how this data is stored and handled. Not only does ITAR and EAR restrictions apply to software providers, but it also extends to infrastructure providers, such as Amazon Web Services (AWS) that handle the data. Most cloud-based software applications are hosted on a public cloud, however there are ITAR-compliant clouds like AWS GovCloud that applications can be hosted on to. Make sure you confirm you are using an ITAR-compliant cloud when storing data.
Storing, Sending and Receiving Sensitive Data
Where you store sensitive data, as well as which methods or applications you use to send and receive this data are important considerations when assessing your risk of non-compliance. If you store data on the cloud, or use cloud-based applications to send and receive data, be aware that ITAR restrictions extend to the infrastructure providers as well. If a cloud-based application is hosted on a popular infrastructure like Amazon Web Services (AWS), it could be non-compliant if it is a public cloud.
Using Third-Party Software
Using consumer-grade, off-the-shelf software (COTS) to store and manage sensitive data can put you at risk of violation. Common services like Google Drive and Dropbox, or software applications like Airtable or Quick Base are not ITAR compliant because they host your data on public cloud which is accessible by foreign nationals.
Working with Third-Party Contractors
If you work with third-party contractors for design, finishing, or other service, be wary of how they handle your sensitive data, as they should be adhering to ITAR and EAR as well. Shipping product or sensitive data to third-party contractors overseas is a violation.
Employing Foreign Nationals
The objective of ITAR and EAR is to prevent sensitive information from being accessed by foreign nationals. That doesn’t necessarily mean that your business shouldn’t hire foreign nationals if you handle business that isn’t subject to these regulations. However, if employed foreign nationals have access to business software containing sensitive data or the physical goods or documents themselves, this can pose a major risk.
Since 2000, the government has been more aggressive on enforcing ITAR and EAR requirements, resulting in larger fines year over year for businesses.
ITAR/EAR Penalty Total Since 2000
Get our Free Compliance Risk Report Today
Take our brief quiz to determine your risk of non-compliance with ITAR or EAR.
The Compliance Risk Report will:
- Assess your risk of non-compliance and provide you with a Risk Score.
- Identify key areas of risk that need to be addressed.
- Provide suggestions on how to address these areas of risk and avoid non-compliance.
Get Your Risk Report Today
Disclaimer: Data entered into this questionnaire and provided in the "Compliance Risk Report" is for illustrative purposes only and does not constitute or pertain to any real-life scenario.
The U.S. Department of State has concluded an administrative settlement with L3Harris Technologies, Inc. (L3Harris) of Melbourne, Florida, to resolve alleged violations of the Arms Export...
The Department of State has concluded an administrative settlement with FLIR Systems, Inc. of Wilsonville, Oregon, to resolve alleged violations of the Arms Export Control Act...
On June 6, 2019, the U.S. Department of State published a Federal Register notice of 23 individuals and entities statutorily debarred for having been convicted of violating...
Want to talk compliance?
We are committed to providing you with the latest compliance news and resources. Talk with an expert today.