October 2014

Decoding Export Controls: Does the Latest BIS Settlement Signal a Trend in Increased Enforcement Actions Involving Encryption?

4 min

Last week, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) announced that Intel Corporation subsidiary, Wind River Systems Inc. (Wind River), agreed to pay a $750,000 civil penalty to settle charges that it sold encryption operating software products to foreign government end users and to organizations identified on the BIS Entity List without required Department of Commerce licenses. Intel acquired Wind River, a U.S.-based software vendor for embedded applications, through a stock purchase agreement. Through its not-so-cryptic message, BIS is demonstrating heightened enforcement efforts, with a focus on sensitive technologies.

The Wind River penalty stems from a voluntary disclosure filed in April 2012, when the company disclosed to BIS that it made four exports to various entities in China identified on the BIS Entity List between 2008 and 2011. Wind River also disclosed that during the same period, it made 51 unauthorized exports of operating software controlled under Export Control Classification Number (ECCN) 5D002 to end users in China, Hong Kong, Russia, Israel, South Africa, and South Korea. Under the Export Administration Regulations (EAR) Part 742.4, ECCN 5D002 controls software for National Security (NS 1) purposes, and a valid license or license exception is required for exports and reexports for all destinations except Canada. In each of these 51 exports, BIS emphasized that the end users were "government end users" as defined in EAR Part 772.1. Based on review and classification criteria, certain encryption items controlled by ECCN 5D002 may be exported or reexported under License Exception ENC (EAR, Part 740.17), unless the end user is a "government end user," wherein the License Exception does not apply.

BIS noted in its press release that because the violations were voluntarily disclosed, the company received significant mitigation. The agency further cautioned that "this penalty should serve as a reminder to companies of their responsibility to know their customers and, when using license exceptions, to ensure their customers are eligible recipients." (Emphasis added.)

In 2009, Intel agreed to acquire all outstanding Wind River common stock for approximately $884 million. When acquiring a company, or any other asset, the seller is obligated to disclose the entity's known liabilities to a buyer. However, companies should also be aware of the "contingent" liabilities of that entity, meaning those liabilities that the entity incurred prior to the acquisition, of which the seller is unaware.

Note: For violations of U.S. export controls, which are "strict liability" in nature, entities that acquire a business are routinely held accountable for the seller's debts and liabilities under "successor liability" where:

  • There is an express or implied agreement of assumption, such as through a stock purchase;
  • The transaction amounts to a de facto acquisition of, consolidation, or merger with the seller's business;
  • The buyer is merely a continuation of the seller; or
  • The transaction is for the fraudulent purpose of escaping liability for the seller's obligations.

In such instances, companies could unknowingly be on the hook for civil penalties where neither the buyer nor seller knew of such liability, where the violation took place over the prior 5-year statute of limitations period, yet before the date of acquisition.

BIS administers a complex and evolving set of regulations on the export and reexport of encryption items which must be carefully considered based on the unique facts. For instance, encryption software controlled under ECCN 5D002, which typically requires a license, may also be eligible for export or reexport under License Exception ENC. However, it is important to understand that proper use of the exception requires compliance with pre-export procedures under the EAR Part 740.17 and 742.15. Further, changes to the regulations occurred in 2010, when BIS sought to exclude "ancillary cryptography" from control under the EAR provided the software met carefully defined parameters. As such, it is important to remain current on these ever-developing controls as versions of your software products and business practices continue to change.

Practice Tip: Intel's Wind River settlement serves as a cautionary tale both for companies engaged in software development and export sales and licensing, as well as for any business looking to acquire new assets. Buyers should conduct a thorough U.S. export compliance review of any target business to identify practices or products that may give rise to successor liability. Moreover, a clear purchase agreement with a comprehensive indemnification provision on U.S. export control obligations, with a necessary reserve for identified potential liabilities, is an effective approach to help manage against such liabilities. Finally, companies should conduct a thorough review of their own export control policies and procedures to ensure they are properly exporting encryption items, as well as taking advantage of any license exceptions that are available.

For more information about this topic, please contact Venable's International Trade Group.