Export Compliance

What Do Deemed Export Violations and Social Media Have in Common?

Not long ago a teenager made news for throwing a party in his parents’ absence.

What’s so newsworthy about that? He advertised the party on Twitter, and as a result an estimated 1500 to 2000 people showed up. The kids caused over $70,000 damage to the house (to be fair, it’s pretty tough to stand shoulder to shoulder with over a thousand people and not knock over a vase or two).  This young host learned a lesson about social media that every company with an online presence should keep in mind. Particularly those companies whose sensitive products and technology make them vulnerable to deemed export violations.

Think about a typical export compliance program: when a foreign national is slated to visit a business or research institution, there are a host of required preparations – such as Restricted and Denied Party Screening – to help ensure the guest is not unlawfully exposed to controlled data or technology.  And when a U.S. employee takes a business trip abroad, they must also take care not to unwittingly share privileged information with their foreign hosts. What many people who commit accidental violations are shocked to learn is that even a casual conversation over coffee can lead to a deemed export violation.

Social media is a lot like having a casual conversation over coffee – but with millions of people in countries all around the world (even the sanctioned ones).

Savvy businesses recognize the value of using social media to interact with customers and potential customers, advertise their products and services, show off glowing referrals and much more.  It’s not unusual for an employee’s primary responsibilities to include blogging, tweeting, posting on facebook, and ensuring the organization’s LinkedIn profile attracts quality candidates. But the problem with the internet is that when everything is “out there”, there’s a very good chance that the wrong person will see it.

Technology makes it easy to find out who works for a company and what their role is. With this knowledge, it’s simple to speculate about the sensitive information that employee likely has access to, and target their online profiles in an attempt to gain access to this information.  Anyone using a social networking site is vulnerable to malware. With facebook it’s possible to search a few keywords, come up with enough information to pose as one of your target’s legitimate connections, and trick them into revealing classified data.  And just like that, a deemed export violation has occurred.

Many people view facebook as a low-threat, safe space on the internet, and as a result they’re more likely to let their guard down and post random comments intended to be innocuous (“I can’t believe how much time this software bug is costing me! It’s been hours since the system has worked properly!”) Such a statement appears to be just another rant on par with complaining about a bus delay, but the subtle message it sends could inadvertently leave an organization vulnerable to a cyber-attack.

Organizations are generally wise about what they share online but it is easy to lapse when your objective is to reach a mass audience. Think about the information that can be garnered from photos on a company’s website that wind up tweeted to the general public (such as employees standing in front of sensitive equipment or carrying blueprints whose images can be enlarged and examined). Or students accidentally making connections on LinkedIn with debarred parties looking for a job at your research facility.

What can be done? The answer is not to abandon social media but to use it wisely.  Official policies surrounding its use must be implemented and managed to ensure everyone understands what is acceptable to share, and what’s not.  And of course, export compliance programs must be rock solid so that if something does slip through a social media crack, it can be caught by reliable restricted party screening, thorough background checks of job applicants and other means by which export violations are avoided.

So you can join the social media party without uninvited guests ruining the fun.