Let’s face it, unannounced company is rarely appreciated. If you haven’t washed the dishes, wiped the mud off the dog’s feet or tidied the mountain of shoes in your foyer, you may not wish to welcome guests into your home.
If you work in a University or research facility in the United States, though, you should be prepared for unannounced visitors – from the Federal Bureau of Investigation (FBI). The threat of deemed export violations means you must always be ready to put out the welcome mat for government agencies.
If the image of men in black trench coats and dark glasses breaking down the door while shouting “FBI!” has you quivering, you may have seen too many movies. Site visits from the FBI are conducted routinely, as part of ongoing export compliance initiatives. Most institutions have systems in place to regulate transfers of controlled technology whether they occur in the United States or abroad. If you’re one of these institutions, then the FBI knocking on your door need not be cause for panic. But it’s important to realize that the number one priority of these agents is not to protect your blueprints, your research notes or your hard drives (that’s your job), but to enforce deemed export compliance laws. That means you’ve got to be audit-ready to avoid the financial consequences of an inadvertent deemed export violation.
Some things the FBI may be particularly interested in discussing with you:
• The systems you have in place to protect yourself. Hackers, phishers, malware…these words are scary, and for good reason. U.S. universities receive numerous unsolicited requests for information every day. Research facilities are vulnerable to intruders that can bypass firewalls as well as con trusting faculty and staff into sharing confidential data. Be prepared to discuss university policies for scam-protection, and the security systems you use to protect your institution from cyber-crimes.
• What you do when you pack your bags. When faculty or other employees attend overseas conferences or meetings, how do you prevent them from accidentally sharing the wrong information with the wrong individuals? Controlled data that’s tucked away in a professor’s email folder becomes an export if that professor carries his laptop overseas. You’ll need to demonstrate to the FBI that before anyone hops a plane, your team does its due diligence to protect your institution’s sensitive information.
• Who’s working with you, and what they’re working on. If foreign nationals employed by you are exposed to technology deemed to be an export under Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR), your paperwork had better be flawless. Be certain you’ve met all licensing and visa requirements and that everything is thoroughly documented.
• How you keep out undesirables. Make sure you are using a reliable restricted/denied party screening solution to screen everyone with whom you plan to make contact – either on your own premises or when you travel overseas. This includes student applicants, job seekers and research partners.
• What’s public knowledge, and what isn’t. Most information taught at universities is available to anyone – students sitting in classrooms or online learners based abroad. But some information is classified, patented, proprietary or export restricted, and this information requires protection. Make sure you can demonstrate that you know the difference, and that you know what the law says about safeguarding controlled data.
When developing and evaluating your institution’s export compliance plan you should try to view your entire program through the eyes of a government agent. Look critically at your procedures and policies for safeguarding your valuable technology, and ask yourself the questions a government agent might pose. That way you’ll be ready should you ever find yourself receiving unexpected company.