Etymology, particularly the Greek or Latin roots of words, aids our understanding in much the same way as root cause analysis does. The Greek word for disclosure is αποκάλυψη, transliterated to apokálypsi, or “apocalypse.” Nomen est omen. This came to mind while reading the pronouncements proffered by various agencies this year – each of which influences voluntary disclosures of export control violations.
What once was a practical and efficient avenue for industry to inform the cognizant agencies of possible violations appears to have become a byway littered with mines, thanks to proposed and final rules issued by the Directorate of Defense Trade Controls (DDTC) and the Department of Defense (DoD). As it presently stands, contractors interacting with export-controlled information could face ruinous consequences if they act too reflexively in addressing cybersecurity incidents and events.
DDTC Proposed Rule
Let’s start with DDTC – an agency within the Bureau of Political-Military Affairs of the Department of State, which promulgates (pursuant to the Arms Export Control Act), administers and enforces the International Traffic in Arms Regulations (ITAR) governing defense trade. DDTC encourages companies to voluntarily disclose potential ITAR violations and considers such actions a potentially mitigating factor in ITAR penalties. ITAR penalties, it ought to be emphasized, are fearsome in terms of both size and imposition. For example, a willfully false or misleading statement on a registration or license application could lead to a fine of $1 million, a 10-year prison sentence or both. Further, civil penalties for ITAR violations have been imposed on a strict liability basis (i.e., without any intentional wrongdoing whatsoever). It is, therefore, unsurprising that DDTC received in excess of 1,200 voluntary disclosures last year.
For full article, click here.