Export Administration Regulations (EAR) is a set of US Government regulations that deals with the export and temporary import of items designed for commercial use, which could have military application (Dual Use). The sensitive information in an EAR context is usually defined as “Technical Data” which includes; articles, technology, software, and other information necessary for development/production or use of a product. Parties deemed responsible for classification under EAR must define dual use items according to the Commerce Control List (CCL) EAR regulations dictate that technical data pertaining to Dual Use items (Referred to as “Deemed Exports”) may only be shared with U.S citizens. The sensitive date must also be subsequently protected in order to maintain its confidentiality. One of, if not the most, important step in having an EAR compliant data security strategy is the process of Data Classification.
EAR Compliance and Data Classification
Data Classification is a comprehensive process that entails identifying EAR sensitive data, followed by consolidating the data in a way that makes it easier to safeguard. Data Classification facilitates the protection of sensitive with other Data Security measures. Due to the nature of identifying and protecting sensitive data, it is easy to understand how a proper Data Classification strategy could serve as a catalyst to an overall successful EAR Compliant Data Security posture.
Looking at Data Classification through an EAR Compliance standpoint, the first step in the process would be discovering and identifying data. This information would mainly come from the Commerce Control List (CCL). Determine if your organization exports any items that fall under one of the 9 categories, or the 5 product groups. While 90% of exports won’t fall under this list (Known as EAR99 exports, non-regulated), it is important to do a thorough scan as a single export violation can usher in hefty fines and penalties. After determining the breadth of your dual use exports, you must now figure out the technical data surrounding these EAR regulated products.
It is important to understand that although the products themselves are whats being categorized as EAR Compliant, all Technical Data falls under the same categorizations. Furthermore, this “Technical Data” is the information that must be classified and protected in regards to Data Security.