Email this page
Share
Print-Friendly PDF Print this page
Client Alert
Software Companies Now on Notice That Encryption Exports May Be Treated More Seriously: $750,000 Fine Against Intel Subsidiary

The Bureau of Industry and Security (BIS) recently issued a $750,000 fine against an Intel subsidiary for the unlawful exportation of software products that enable encryption. This is a sharp departure from BIS’s historical practice and suggests the agency may take a tougher stance on such violations in the future.

On October 8, 2014, the Department of Commerce’s Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List.

Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations.

We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS’s treatment of violations of the encryption regulations.

Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies — a message that BIS seemed intent upon making in its announcement.

Encryption is ubiquitous in software products. Companies making these products should reexamine their product classifications, export eligibility, and internal policies and procedures regarding the export of software that uses or leverages encryption (even open source or third-party encryption libraries), particularly where a potential transaction on the horizon — e.g., an acquisition, financing, or initial public offering — will increase the likelihood that violations of these laws will be identified.

If you would like additional information about the issues addressed in this Client Alert, please contact Rich Matheny, who chairs Goodwin Procter’s National Security & Foreign Trade Regulation Practice, or the Goodwin Procter attorney with whom you typically consult.

© 2016 Goodwin Procter LLP. All rights reserved. This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP, Goodwin Procter (UK) LLP or their attorneys. Prior results do not guarantee similar outcome.

Goodwin Procter LLP is a limited liability partnership which operates in the United States and has a principal law office located at 53 State Street, Boston, MA 02109. Goodwin Procter (UK) LLP is a separate limited liability partnership registered in England and Wales with registered number OC362294. Its registered office is at Tower 42, 25 Old Broad Street, London EC2N 1HQ. A list of the names of the members of Goodwin Procter (UK) LLP is available for inspection at the registered office. Goodwin Procter (UK) LLP is authorized and regulated by the Solicitors Regulation Authority.