Tuesday, May 28, 2013

Export Regulations and Cloud Computing...Beware!

Co Authored by Perry Sofferman

Forrester Research predicts that the global market for cloud computing services will have increased from $40.7 billion dollars in 2011 to approximately $241 billion dollars by 2020. You can see the ZDNet article here. This figure includes the Platforms as a Service, Infrastructure as a Service and Business Process as a Service delivery models. What this information reveals is that while cloud computing is already a significant part of operational strategy for many businesses (as well as governmental agencies), we should expect it to not only grow as a market but to become even more intertwined with the way we conduct business and store data on a daily basis. Consequently, businesses in general and export compliance officers in particular need to be vigilant and make sure that their use of this important technology is consistent with US export regulations. 
When using cloud services, the user is uploading data to available servers in the cloud provider’s server facility(ies). The type of data uploaded and the location of the server where that data is stored can potentially trigger export compliance issues for the user. In fact, the ultimate location of the particular server used to hold the user’s data may be unknown to either the user or the cloud provider. Data can be redirected to various servers in different countries in order to properly allocate server space based on fluctuations of usage in different time zones. It should be noted that this is only one example of several possible scenarios where the actual export of restricted data could occur inadvertently by the user.
Based on Advisory Opinions issued by the Bureau of Information and Security (“BIS”), there is guidance indicating that in scenarios where exports take place through means of cloud computing:
  • (i) the cloud computing provider is not the exporter (the user is) and
  • (ii) if foreign nationals employed by the provider access restricted data there may well be a deemed export of such data to such foreign national on the part of the user.
If, however, a cloud computing service provider is aware that the service will be used to support certain proscribed activities, then the provider will be obligated to properly acquire the necessary license. Neither the Directorate of Defense Trade Controls (DDTC) nor the Office of Foreign Asset Controls (OFAC) have yet provided substantive guidance on the subject of export regulations in relation to cloud computing, although OFAC has provided some limited guidance related to exports to Iran involving software and services incidental to personal communications. “Cloud Computing” remains an undefined term in the EAR, ITAR and OFAC regulations.
Top 5 Tips for Export Compliance Professionals in Regard to Cloud Computing  
  1. It is critical for compliance officers and others involved in export control management, including providers of cloud computing services, to take steps to better familiarize themselves with the many complex issues at play in this area. A good start would be a detailed review of the BIS advisory opinions, which can be found here.
  2. In addition, users of cloud services should think about how to approach this issue with their providers. Users might consider gaining a good understanding of where their provider’s servers are located and whether the providers have instituted any safeguards to address export compliance issues. Likewise, providers may want to delve more deeply into the ITAR regulations with particular emphasis placed on the relation between cloud computing services and “brokering” activities.
  3. Compliance officers should make sure that members of their organizations are aware that export regulations are applicable to cloud services and that while the storage of data in the cloud might feel virtual, the penalties for export regulation violations remain brick and mortar.
  4. While exporters remain liable for violations of export regulations, compliance officers should work with their IT departments when negotiating terms to agreements with cloud services providers. For example, require the service provider to notify you in the event servers are added in geographic locations that might be problematic for you. See if it is possible to obtain a right to terminate in such instance. In addition, try to get the provider to indemnify you in the event there is an export violation as a result of a provider’s action or inaction.
  5. Make sure a review of how your organization uses cloud services is part of your standard compliance self-audit so as to identify any possible problems or lapses before they become significant.
In a speech in 2012, Under Secretary of Industry and Security, Eric Hirschorn, noted that a future project for the Bureau might be a review of “for clarification’s sake – the rules regulating cloud computing.” For both users and providers, such a review should be anxiously awaited.

Wednesday, May 22, 2013

June 10 - FSMA Rules Will be Released!

The U.S. Food and Drug Administration (FDA) has been court ordered to set firm dates for FSMA's implementation.  Details of the court case forcing FDA to set these dates, and the organization that sued the FDA to make this happen follow.
The Center for Food Safety (CFS), a national non-profit public interest and environmental advocacy organization, filed a lawsuit against the FDA on August 29, 2012.  The complaint alleged FDA failed to promulgate 7 food safety regulations required by the Food Safety Modernization Act (FSMA).  Congress enacted the FSMA – which was signed into law on January 4, 2011 – to modernize food safety laws and regulations by mandating science-based standards and controls; by providing the FDA with greater authority to prevent and address food safety hazards by taking steps to prevent them from occurring; by strengthening the FDA’s inspection and enforcement powers; and by improving coordination among federal, state, and foreign food safety agencies. CFS documented the foodborne illness outbreaks since FSMA was signed into law, January 4, 2011.

Court Order
The court case is being heard by Judge Phyllis Hamilton, in the U.S. District Court for the Northern District of California.  Yesterday, May 21, 2013, Judge Hamilton ordered that the FDA and CFS have an extended deadline of June 10, 2013 to file a joint statement with a mutually agreeable proposed schedule for the outstanding food safety rules.

Rationale for Suit and Missed Deadlines
The ongoing battle between the CFS and FDA to complete this process has lasted for several months. On August 2012, the CFS filed a suit against the FDA Commissioner after the FDA missed a series of deadlines for publishing the regulations mandated by the Food Safety Modernization Act. After numerous deadlines went by without the release of the mandated rules, CFS went to court to try to force FDA to adhere to these time constraints. Following the court appearance, Judge Hamilton ruled that the FDA must come up with a new schedule for issuing the proposed rules by May 20.  This extension came about as a result of the inadequacy in time provided for the FDA and CFS to resolve their differences regarding the schedule FDA suggested to issue the proposed rules.

The FDA sent its updated schedule to CFS on May 15; however, CFS was not satisfied with the proposed timeline. Due to the fact that there were only five days left until the deadline expired, the parties filed a Joint Stipulation for Extension of Time. This extension was granted by Judge Hamilton.

New Rules Released by FDA & What's to Come
Since CFS filed its complaint last year, FDA has released some of the key FSMA mandated rules it failed to publish on time, including preventive controls for human food and standards for produce safety, both released in early January. However, there are some rules that are yet to be released. Among them is the foreign supplier verification program (section 301).  This program is set to overhaul import safety, an establishment of regulations to ensure the safe transport of food products and a rule ensuring neutrality of third-party audits.  I think of it akin to C-TPAT (Customs-Trade Partnership Against Terrorism).  It's a self-policing and auditing type program that includes functions like  monitoring records for shipments, lot-by-lot certification of compliance, annual on-site inspections, checking the hazard analysis and risk-based preventive control plan of the foreign supplier, and periodically testing and sampling shipments.

I look forward to seeing and reporting on FDA's implementation of FSMA.