When national security, regulatory compliance and information management collide

Disclosing sensitive or protected data isn’t just a data privacy violation—it can also be a matter of national security, as several companies recently found out. FTI’s Renato Fazzone and Mike Carter examine issues related to State Department investigations.

The State Department recently concluded numerous investigations of corporations for hundreds of violations of the International Trade in Arms Regulations (ITAR) and other export control laws. Although these allegations related to the unauthorized export and transfer of defense products to several countries and regulatory violations, they also highlighted fundamental information management oversights that contributed to serious conformity failures

A few important ones management Lessons can be learned from recent State Department investigations into access control, device management, information management policies, and the role of self-reporting in compliance programs. Many organizations may primarily consider these areas of information management and compliance in the context of data regulations, privacy requirements and other legal risks. However, these cases highlight that failures in information management policies and processes can have serious consequences, ranging from individual sanctions violations to threats to national security and hundreds of millions of dollars in fines.

Violation of data transmission

One recent State Department case included in the $200 million settlement involved unauthorized access to company information from an employee’s device while the employee was traveling to an ITAR-prohibited destination. According to the company’s disclosure to the State Department, the employee took a company-issued laptop that contained ITAR-controlled technical data and accessed the company’s US network on two personal trips to the restricted country.

Although the employee made a formal request to take the laptop on the first trip, the country was not specified as a destination. A later update to the request showed that the employee had been rerouted to the destination, but this had been missed in the verification process and had not been forwarded. During the second trip, the employee also did not specify the destination in the trip request with the company-issued devices. A later annotation to the query included the name of the country, but this was again omitted and not investigated.

When these breaches were later discovered during a compliance review and subsequently investigated by the government, it was determined that the incident exposed technical data that adversely affected US national security and Defense Department programs.

Charges against a separate company found similar failures in data access controls that led to the export and re-transfer of sensitive technical data to unauthorized contractors, employees and countries. In numerous incidents, ITAR-controlled data was illegally downloaded and/or transferred from a company’s internal document storage. During the investigation, the company believed that in some cases the data was not properly classified, which led to unauthorized access. Among other violations, these incidents resulted in more than $50 million in fines for the company.

Protection of vulnerable data resources

Given the increasing sensitivity, dispersion, volume, complexity, value and vulnerability of data across sectors, organizations operating as government suppliers or subject to regulations such as ITAR must recognize information management as a business imperative. Preventing the disclosure of confidential or protected data may well be a matter of national security. Basics that companies should evaluate and reinforce in their programs include:

Data protection policies that apply solely to confidential data, including technical data that may be subject to ITAR or other similar laws.
Strict classification and labeling of data, supported by clear authorization processes that must be followed to access and share each class of data.
Access control based on employee status, role, nationality and geographic location.
Device management that automatically limits access to company networks from unauthorized locations and notifies compliance teams of suspicious device access or activity.
Governance and compliance specialists—backed by advanced technology—to monitor and investigate activities that violate regulatory requirements and/or company policies.
Internal procedures to quickly flag and escalate potential compliance violations so they can be quickly understood and mitigated.
Regular testing of data access and protection by qualified independent third parties or internal audit.
A justified process for archiving and deleting sensitive data beyond established data retention requirements to limit the excessive risk of data leakage.
A strategy for dealing with issues as they become known, including the parameters, processes and personnel needed to determine when and how to voluntarily report breaches to regulatory authorities.

These recent ITAR violations illustrate the importance of properly classifying data, implementing safeguards against unauthorized transfer, and maintaining robust access controls. In addition, they justify the need to be strong data protection and compliance policies and processes, because even if strong controls cannot prevent every data breach, they make it easier for companies to identify problems more quickly. This, in turn, improves internal investigative processes and can support timely reporting when cooperation with regulatory authorities is required.