What’s Your Process for Protecting ITAR or Sensitive Data?
Make sure export-controlled information is going where it’s supposed to go.
In my December column, “One Errant Click and IP Protection is Gone,” I wrote of the importance of corporate IP protection. But the safe handling of ITAR or MIL data is even more vital to your company’s well-being.
PCB buyers must know what information they’re sending and where it’s going.
“An export applies to more than just physical product placed in a box being shipped overseas,” says Tom Reynolds, an export compliance consultant. “Most companies don’t realize the act of electronically sending information out of the country is considered an export.”
Most fabrication drawings don’t indicate whether they are export-controlled. Many board buyers fail to confirm the status of their customers’ files and often blindly send those out for quotes to both domestic and, unwisely, offshore PCB manufacturers.
That means a PCB buyer can inadvertently export information that is legally required to stay in the US.
Understanding how PCB files are controlled or protected is crucial to compliance, and companies can’t hope to comply with the regulations if they don’t understand the fundamentals.
It is crucial that EMS and OEM companies have a corporate compliance policy in place when it comes to managing export-controlled information, according to Reynolds.
“This is critical for several reasons, as companies need written proof they are making efforts to comply, especially when all documentation being received and sent is not clearly marked as it should be,” he says.
Another area of concern Reynolds identifies is that many companies rely on only one employee to manage all things related to export compliance, meaning there is no backup when that employee is on vacation, gets sick, or leaves the company.
Firms sometimes have no idea how to recover from this compliance vulnerability in a timely manner, leaving them legally exposed for possible violations of export control regulations.
A documented program that several employees have been trained on is best practice for companies that buy circuit boards. Here’s what firms should do on an annual basis to ensure they are keeping their compliance procedures up to date:
- Training. Most companies don’t know what they don’t know, and this is especially true when it comes to export compliance. Put together an internal compliance team to learn about these regulations and how they apply to your business.
- Policy and process. Develop a written plan for compliance and implement this program throughout your business. Make sure employees understand the importance of following it to protect themselves and the company.
- Audit and assess. Perform internal audits to see if your program is being followed, and if it’s not, find out why. It could be a training issue or a process gap. Find the root cause of the problem and fix it. Your company’s entire program should be reviewed at least annually as regulations do change.
As important as it is to know what information is being sent, EMS and OEM companies also should be clear on who is receiving that information.
Has your PCB supplier let you know what they can or cannot legally receive? Do you have that in writing?
If the PCB manufacturer is purely a domestic facility, this is more than likely a nonissue. But you should still be sure you have the manufacturer’s ITAR registration or some statement concerning controlled information on file.
If the domestic manufacturer also brokers PCBs from Asia, be sure you have a copy of its ITAR registration, and then find out how it segregates quotes that are permitted to be sent offshore from those that must stay domestic.
If your supplier is a pure broker, files accidentally being sent overseas is a real possibility. It is vital to have an agreement in writing with all involved parties that breaks down how sensitive files are to be sent and received, and to stipulate when they may not be sent at all.
Even with a concerted effort to safeguard controlled information, companies can find themselves with export violations. But, according to Reynolds, the US government gives “great weight” to those companies that come forward, voluntarily disclose mistakes, and – most important – make sincere efforts to improve.
“It recognizes that no company or individual is perfect,” he says. “Problems will happen and the purpose of having a program in place is not to allow those problems to repeat.”
PCB buyers need to ensure all data related to its printed circuit board purchases go only where they are supposed to. Retaining an export compliance consultant that can help your company minimize its exposure to export violations is a great insurance policy in this global economy.
Au: Tom Reynolds has more than 14 years’ experience as an export compliance consultant. He can be reached at firstname.lastname@example.org.
Greg Papandrew has more than 25 years’ experience selling PCBs directly for various fabricators and as founder of a leading distributor. He is cofounder of DirectPCB and can be reached at email@example.com.