Timothy O'Toole was quoted regarding the risk of inadvertent exporting of sensitive or restricted data when using cloud technology. U.S. export regulations apply to technical data and there is an inherent tension between export control regimes and cloud computing, O'Toole said. When a U.S. company stores data in the cloud, it should assess where servers and routers are located in order to determine if its data is stored in a foreign location, which would suggest that the data was exported. Because the cloud is a recent development, government agencies haven't been thinking about it until recently, O'Toole said.
The Department of Defense is proposing regulations governing when government contractors can store information on the cloud, he said, and other government departments have issued advisory opinions on encrypting or protecting the data. However, the most recent 2014 advisory opinion, issued by the Department of State, allowing the use of a license exemption under certain circumstances created ambiguity, O'Toole said. Companies that are not involved in exporting may be at risk because their data is stored on cloud servers outside of the U.S. and encryption prior to storage may provide protection against inadvertent violations as well as increased security for intellectual property.