Insights
Safeguarding Technical Data: A Lesson from the Honeywell Consent Agreement
Safeguarding technical data and preventing unauthorized exports of controlled technical data is a challenge for most companies. As demonstrated by the Honeywell consent agreement, the U.S. Government (“USG”) will not take violations involving unauthorized exports of controlled technical data lightly. Therefore, industry should carefully assess their compliance programs to ensure that technical data is safeguarded properly. This article provides an overview of the Honeywell consent agreement and discusses general recommendations for safeguarding technical data.
Honeywell Consent Agreement Overview
In April 2021, Honeywell International, Inc. (“Honeywell” or “the Company”), headquartered in Charlotte, North Carolina, entered into a consent agreement (“the Consent Agreement”) with the U.S. Department of State (“State Department”) for alleged violations of the Arms Export Control Act and the International Traffic in Arms Regulations (“ITAR”).
The alleged violations derived from two voluntary disclosures (“VDs”) that Honeywell submitted to the State Department in 2016 and 2018 that disclosed unauthorized exports and retransfers of ITAR-controlled technical data, including technical drawings of parts for multiple military aircrafts, gas turbine engines, and military electronics sent to Canada, Ireland, Mexico, the People’s Republic of China (“China”), and Taiwan. The Honeywell charging letter (“the Charging Letter”) notes a total of 34 charges related to the alleged violations.
Industry should carefully evaluate the alleged violations in the Charging Letter because there is a high likelihood that many companies are also committing the same or similar violations and, like Honeywell, could face an enforcement action.
Safeguarding Technical Data
Unauthorized Technical Data Exports/Retransfers at the Quote Level and to Foreign Subsidiaries
Companies are generally aware that before exporting a controlled item an export license is required. But when it comes to sending technical drawings for the same export-controlled product to a foreign party abroad, at the quote stage or other stages of the business transaction, industry fails to understand that such technical drawings are considered “technical data” and require an export authorization as well.
Similarly, companies often also fail to recognize that exports/retransfers of ITAR-controlled drawings or other technical data to a foreign subsidiary require an export authorization. As such, companies can be at a high risk of committing violations of unauthorized technical data exports/retransfers at the quote level and with respect to their own foreign subsidiaries.
Honeywell was no exception to these common industry mistakes. Per the Charging Letter, the two VDs disclosed violations of unauthorized exports and retransfers of ITAR-controlled drawings that occurred during the quote stage of transactions. In addition, there were unauthorized exports of drawings to Honeywell subsidiaries in China, and those subsidiaries retransferred the drawings to unaffiliated suppliers and to a foreign subsidiary employee in China.
As demonstrated by the Honeywell Consent Agreement, unauthorized exports/retransfers of technical data, especially when destined to proscribed destinations and involving Significant Military Equipment, are strictly enforced by the USG.
Overall, companies should carefully assess their quote process and exchanges/communications with foreign subsidiaries and suppliers to confirm that there are no gaps in their export compliance procedures and controls that may lead to unauthorized technical data exports/retransfers. Further, companies should take care to avoid the common misconception that unauthorized exports/retransfers of technical drawings and other technical data are not as “important” or not a “big deal” compared to unauthorized exports/retransfers of hardware. The Honeywell Consent Agreement – and previous enforcement actions – demonstrate that the USG takes these types of violations very seriously and will continue to hold companies accountable.
Recommended Internal Procedures and Controls for Technical Data
Below are internal procedures and controls companies should include as part of their export compliance programs that will help avoid unauthorized exports/retransfers of technical data. Note that this is not an exhaustive list, and that these items should be added to procedures and controls for technical data that are already part of the company’s Technology Control Plan.
-
Ensure all controlled technical data, including technical drawings, specifications, blueprints, etc. are marked with the correct export classifications and contain the proper export-control language (e.g., Destination Control Statement).
-
The export classification determinations should be made by qualified personnel who are knowledgeable of the export regulations and the technical characteristics of the products.
-
Employees at all levels, including sales personnel, should be adequately trained about export compliance regulations and internal processes and controls.
-
All controlled technical data should be exported/transferred via a secured file exchange platform that does not have any servers, cloud backup, etc. abroad nor can it be accessed by unauthorized foreign persons.
-
The file exchange platform should also track the technical data exports/transfers and the respective export classifications, which should be reviewed and approved by export compliance personnel.
-
There should be a second-level review for all international exports/transfers of technical data, especially during the quote stage.
-
Ideally, the quote process should be housed in a secured online portal (as opposed to email).
-
All parties involved in the quote process should be screened against the denied/restricted party lists issued by the USG.
-
Export compliance personnel should oversee and actively communicate and coordinate with other business departments, especially sales, engineering, shipping, etc.
-
Effective internal procedures and controls should be implemented and followed on a day-to-day basis by all company personnel and domestic and foreign subsidiaries.
-
Develop useful resources and guides for personnel to easily access and use.
-
Incorporate export compliance warnings/reminders and second-level checks/approvals into the company’s internal systems (e.g., ERP systems) that are used to complete customer orders or quotes.
***
In conclusion, the failure to safeguard technical data and the unauthorized technical data exports/retransfers at the quote level, especially when it involves foreign subsidiaries, present a high risk for many companies. Companies should be aware that the failure to allocate sufficient resources and support to implement and maintain an effective export compliance program that is not followed and complied with on a day-to-day basis will inevitably result in export violations and put the company at risk of an enforcement action and a hefty penalty.
Companies should carefully assess their export compliance programs for gaps that could result in export violations, especially unauthorized technical data exports/retransfers.