Recently I have attended several cyber security conferences. What I have learned about protecting information has changed how I view export controls. Senior management and board members should think about the big picture as it relates to information controls and exports rather than dealing with these issues separately. For instance, I was reviewing a nondisclosure agreement today related to export controls. The agreement will apply to an off-site worker. I immediately started thinking of the Target information breach. The breach happened because a new business platform was using a subcontractor that was not vetted for its IT security. The post-event analysis indicated that a broader strategic approach should have been taken in the business planning stage. Senior executives needed to consider all areas of the business operations together to plan procedures to minimize corporate risks.
This approach should be applied to export compliance. If a worker will be working remotely and will have access to information, the company and its advisers must consider the transfer and risks related to, not just controlled technology, information and software but also the possible leak or theft of intellectual property and personal and business data. From an export compliance and risk management framework, risk mitigation will work better if employees and third parties are trained in all of these areas and compliance materials should include nondisclosure agreements that cover data breaches, proprietary information as well as export controlled technology and technical data.
Bottom line: It’s my opinion that companies will be better protected and have less financial and reputational risk if privacy and data security experts understand and are trained in export compliance and if the export compliance officers understand the new world of information security. The result will be more secure and profitable companies.