On February 19, 2014, the U.S. Commerce Department announced that it had reached an agreement with Santa Clara-based Intevac, Inc. to settle allegations that Intevac violated U.S. export regulations governing exports of technology. Under the agreement, Intevac agreed to pay a civil penalty of $115,000.
In pursuing this matter, Commerce underscored that it will enforce aggressively the Export Administration Regulations with respect to “deemed exports,” even when the violation is self-disclosed. Similarly, as discussed below, one notable component of this matter is how it illustrates the tactical decision companies must make as to self-disclosing violations of technology export controls. In addition, the action is a reminder to the technology industry that, as it strides across borders with its products and in search of talent, U.S. law will accompany it every step of the way.
Alleged violations. In its draft charging letter, Commerce asserted that Intevac – which operates in the “hard disk drive, solar and photonics markets” – had committed two primary violations. First, Commerce was prepared to charge Intevac for the unauthorized release of U.S.-origin technology to a Russian national located in the United States. Under the EAR, the release of technology to a Russian national, even a Russian national authorized to be in the United States, is treated like an export of technology to Russia itself. Correspondingly, to the extent a license was needed to export the technology to an individual in Russia, a license would also be required to share the technology with a Russian national in the United States. For more on the current state of U.S licenses for exports to Russia see here.
Intevac did not have the requisite authorization. In fact, Commerce was prepared to charge that Intevac knew it did not have that permission: while the company’s export license application was pending with Commerce, the company provided the Russian national with a login and password information to access the server on which the controlled technology was stored.
Second, Commerce alleged that Intevac exported controlled technology to China without the necessary export license. Specifically, Intevac provided a Chinese national engineer in China with a login and password to access controlled technology stored on Intevac’s server in Santa Clara. Providing access to the controlled technology constituted a violation even though the Chinese national engineer was an employee at Intevac’s Chinese subsidiary in Shenzen.
Analysis. We think this enforcement matter is notable for several reasons. First, it provides yet more proof that Commerce will vigorously pursue enforcement actions related to exports of controlled technology. In our experience, protecting against export violations involving controlled technology is the greatest export compliance challenge companies face. Technology can slip silently and easily across national borders, including through being shared with non-U.S. persons in the United States, or transferred to colleagues working for the same company but in different countries. Violations can be triggered by e-mails, instant messages, phone conversations, access to shared servers, training presentations, sharing of photographs, and other seemingly innocuous means.
Second, in reviewing the settlement documents in the matter, we were struck by the type of technology that was shared: “drawings, blueprints for parts, and identification numbers of parts, development and production technology” for a product used in hard disk drive manufacturing (emphasis added). While we can hypothesize a situation in which identification numbers could constitute controlled technology, we do not often get too concerned about controlling information that appears to be geared toward internal use or identification rather than something that could be readily deployed by non-U.S. persons with a technical background. (Drawings and blueprints for drawings are a different matter, however.) The fact that Commerce took action against Intevac, at least in part because it shared such identification numbers with non-U.S. persons, suggests that Commerce may consider a broad spectrum of information to constitute controlled technology once it has its foot in the door. This was a settlement after all – Commerce did not have to prove its interpretation of the regulations in a court of law.
Finally, we note that this enforcement action was triggered by a voluntary disclosure. There are always a number of considerations for whether to disclose or not, and it can often make sense to submit a disclosure depending on, among other things, the relevant regulations and the agency involved. Having had no involvement in this matter, we can only speculate as to why the company made this disclosure.
That said, the settlement and penalty bring into question the merit of making a disclosure in cases involving deemed exports. It is hard to envision many situations in which the Government would otherwise identify violations involving transfers of technical data. Thus, winning the proverbial race to the courthouse in order to get disclosure credit may not be compelling, particularly when the disclosure resulted, as it did here, in a six figure settlement.
We think it is indisputable that Intevac needed to conduct a thorough, careful investigation in this matter. Corrective actions – especially in this case, where there may have been ongoing server access provided to non-US persons – presumably were needed. Assigning accountability for development and implementation of such corrective actions and, crucially, tracking implementation, would be key elements of reforming the conduct. These steps are sacrosanct whenever a violation is identified.
Ultimately, in the case of internal technology transfers in violation of the EAR, we think that many companies could conclude that no disclosure is needed. Having endured this enforcement action, and now facing this penalty and the negative reputational implication of this matter being made public, one might wonder whether Intevac would agree.