Exposure of sensitive or protected data isn’t merely a violation of data privacy regulations — it could also be a matter of national security, as multiple companies have recently learned. Renato Fazzone and Mike Carter of FTI explore issues related to State Department investigations.
The State Department recently resolved multiple investigations into corporations for hundreds of violations of the International Traffic in Arms Regulations (ITAR) and other export control laws. While these charges were connected to unauthorized exports and transfers of defense articles to multiple countries and violations of regulatory terms, they also underscored fundamental information governance oversights that contributed to serious compliance failures.
Several important governance lessons can be gleaned from the recent State Department investigations, across access control, device management, information governance policy and the role of self-reporting in compliance programs. Many organizations may primarily consider these areas of information governance and compliance in the context of data-specific regulations, privacy requirements and other legal risks. However, these cases highlight that information management policy and process breakdowns can carry severe implications, ranging from isolated sanctions violations to national security threats and hundreds of millions of dollars in penalties.
Data-transfer violations
One of the State Department’s recent cases, which was included as part of a $200 million settlement, involved unauthorized access to company information from an employee’s device while the employee was traveling in an ITAR-restricted destination. As described in a company disclosure to the State Department, the employee took a company-issued laptop that contained ITAR-controlled technical data and was capable of accessing the company’s U.S. network, on two personal trips to a prohibited country.
Though the employee had submitted a formal request to bring the laptop on the first trip, the country was not listed as a destination. A later update to the request indicated that the employee had been rerouted to the destination, but this was overlooked in review and not escalated. On a second trip, the employee similarly did not include the destination on the request to travel with company-issued devices. A later annotation to the request included the country name, but this was again overlooked and not investigated.
When these violations were later discovered during a compliance review and subsequently investigated by the government, it was determined that the incident exposed technical data with adverse impact to U.S. national security and Department of Defense programs.
Charges against a separate company revealed similar data access control breakdowns, resulting in exports and retransfers of sensitive technical data to unauthorized contractors, employees and countries. In numerous incidents, ITAR-controlled data was illegitimately downloaded and/or shared from an internal company document repository. Upon investigation, the company deemed that in some instances, the data had been misclassified, leaving it exposed to unauthorized access. Alongside other violations, these incidents resulted in more than $50 million in fines to the company.
How Leaders Can Avoid Modern Data Pitfalls
Mitigating risks of data is critical to getting the most out of new technology
Read moreProtecting vulnerable data assets
Given the increasing sensitivity, dispersion, volume, complexity, value and vulnerability of data across sectors, organizations operating as government vendors or subject to regulations like ITAR must recognize information governance as a business imperative. Preventing exposure of sensitive or protected data may very well be a matter of national security. Fundamentals companies need to evaluate and strengthen in their programs include:
- Data protection policies that address uniquely sensitive data, including technical data that may be governed by ITAR or other similar laws.
- Rigorous data classification and labeling, supported by clear authorization processes that must be followed for accessing and sharing each class of data.
- Access controls based on employee status, role, nationality and geographic location.
- Device management that automatically restricts access to company networks from unauthorized locations and notifies compliance teams of suspicious device access or activity.
- Governance and compliance officers — supported by advanced technology — to monitor for and investigate activity that violates regulatory requirements and/or company policies.
- Internal procedures for quickly flagging and escalating potential compliance violations, so they may be quickly understood and mitigated.
- Routine data access and protection testing conducted by skilled, independent third parties or internal audit.
- A defensible data archiving and deletion process for sensitive data that falls outside prescribed recordkeeping requirements to limit excessive exposure to data leakage.
- Strategy for how issues are handled once known, including the parameters, processes and personnel needed for determining when and how to voluntarily disclose violations to regulatory agencies.
These recent ITAR violations illustrate the importance of appropriately classifying data, implementing safeguards against wrongful transfer and maintaining strong access controls. Additionally, they make a case for the need to have strong data protection and compliance policies and processes in place — because even while strong controls may not prevent every incidence of data exposure, they make it easier for companies to detect issues faster. This in turn improves internal investigation processes and can support timely reporting when cooperation with regulatory authorities is needed.