In a recent ruling issued to a Kelley Drye client, the U.S. Department of State reinterpreted the International Traffic in Arms Regulations (ITAR, 22 C.F.R. §§ 120 - 130) to allow controlled technical data to be processed in the cloud without an export license – even if data is transferred to cloud servers located outside the United States. The State Department characterized its ruling as “groundbreaking,” as it effectively opens the use of the cloud for ITAR controlled technical data for the first time.
The State Department decision was announced by Perspecsys, a provider of enterprise cloud data protection solutions, which received the ruling in response to a request prepared by Kelley Drye attorneys.
The State Department’s opinion specifically permits companies to utilize tokenization – a form of data obfuscation – to export ITAR controlled technical data to the cloud so long as “sufficient means” are taken to prevent unauthorized access to controlled technical data, among other restrictions. The “sufficient means” provision essentially requires companies to adopt technical approaches that would prevent foreign persons from intercepting or gaining access to ITAR controlled technical data throughout all phases of cloud data transfers.
In issuing its opinion, the State Department reviewed an advanced tokenization solution offered by Perspecsys that ensures (1) that clear text technical data do not leave data owners’ servers in the United States and (2) that the clear text technical data cannot be logically or mathematically derived based on the obfuscated data (the “tokens”) transferred to the cloud, among other security measures.
In the past, the ITAR prohibited the transfer of technical data, in any form, to the cloud without a license if that data was to be hosted on servers outside the United States or handled by foreign persons. As a result, companies with ITAR controlled technical data either paid for U.S.-only cloud solutions (which can be more costly than international services) or they abandoned use of the cloud altogether for ITAR controlled technical data. The State Department’s reinterpretation of the ITAR promises to open the cloud to many more companies with ITAR controlled technical data – so long as the proper precautions are taken to comply with the ITAR.
For more information, please contact: