Encryption Regulations for Startups and Security Companies

Encryption Regulations for Startups and Security Companies

Sergio Retamal
Jan 21, 2019

Nowadays most of your personal electronics have some level of encryption. It can be anywhere from a basic login to more sophisticated security functions.

New gadgets are being developed in Silicon Valley by large companies and start-ups that have high levels of encryption, including firewalls, access points, wireless devices, communication, data transfer and others. Unfortunately, most of these companies are not aware of the existing encryption regulations and controls, which can lead to unpleasant surprises when you are ready to take your company public.

So you have an intern from Brazil or a high-level code writer from Russia on a visa? That may be okay from a labor department point of view BUT do you have an export license? What? An export license? Why would anybody need an export license to hire someone in the USA?

Because, there is something called a deemed export.

So you have an intern from Brazil or a high-level code writer from Russia on a visa? That may be okay from a labor department point of view BUT do you have an export license? What? An export license? Why would anybody need an export license to hire someone in the USA?

So your company is developing products that have encryption – Do you have an Encryption Registration Number? Again, if not you may have another violation on your hands.

Has your company provided samples or specs to customers overseas? Even though is not a sale it may be a violation.

Let’s say that you have sold and shipped hundreds of units overseas and you have not registered your product. You also don’t have your CCATS number and you’re not adding that information (CCATS, ECCN, License Exceptions or Validated Licenses) to your shipping documents – You may have hundreds of violations. Each shipment that does not comply is a violation, even though it may be the same error over and over again.

Does your company sell to foreign government end-users? Is your company eligible to do so without applying for an export license? Most countries have a great number of companies that are government owned and controlled. We are not talking about just police, military, and armed forces, but a whole range of companies and functions. Have you requested an export license for these entities? Are you allowed to ship to them without an export license?

I could go on for a couple of pages listing the ways that encryption is controlled and potential violations.

Should the government audit you and you have some of the violations mentioned above it can be very costly both in fines as well as legal costs. There is not only the legal cost to clean up and correct all the transactions that may have occurred in the past five years, but also the cost to review all transactions for the next five years.

The rule of thumb is that the liability is $25,000 per occurrence. So think about how many times have you shipped or transferred your product, had it downloaded by foreign customers and/or shared specs with overseas people or personnel – it can add up and Uncle Sam needs money.

I am not saying that you have some of the above or your company has committed any violations – what I am saying is that if any of the above issues sound new to you, your company may have some issues that need to be on the front burner.

If you are chosen for an audit by any of the US government agencies that enforce these regulations, it may be too late to come clean. It’s possible to come clean by using a voluntary self-disclosure before you are selected for an audit. After you have been selected though, you’re fair game. You’ll have less control because your disclosure is no longer voluntary.

Let’s say that you are ready to ask for funding. Smart investors in the Valley will ask you if you have any liabilities before they invest their money and import/export violations are part of the due diligence process. Most investors will not commit until these have been disclosed or settled properly.

When they say, “An ounce of prevention is worth a pound of cure” or “Talk is cheap” (unless you are talking to a Lawyer) it may be a true understatement.

If you have any questions regarding trade compliance please contact me at Global4PL – we have helped many start-ups, small businesses and some very large companies, and our customers do sleep better.

Global4PL is the Third Largest IOR-EOR Service Provider Worldwide & the only IOR-EOR Service provider with an In-House U.S. Licensed Customs Brokerage & Trade Legal Team that serves 74 countries worldwide.

Global4PL: We are your IOR, cost, compliance, and efficiency experts.

Sergio Retamal, CEO of Global4PL, has 27 years of executive Supply Chain and Procurement experience. He holds a Masters Degree in Change Management from Pepperdine University’s Graziadio School of Business and a Masters Degree in Business Administration in International Business from California State University, Northridge. He also holds a Bachelors of Science in International Business from California State University, Northridge.

Get Free Business Insights

Get curated content and business inspiration to your inbox.

    Modernize your business

    See how DPLGuru can help

    dplguru_get_started