Ensuring Export Compliance in Activity-Based Working Spaces, Home Offices

Many companies are transitioning to or have already adopted activity-based working (ABW) environments, which allow employees to choose from a variety of work settings depending on the nature of their roles or daily activities. ABW environments are often designed with an eye toward open and communal collaboration; this comes with export compliance risks related to U.S.-controlled technology and information.

ABW has been the norm for many years in the tech industry, but it's growing in popularity outside of Silicon Valley as more companies adopt this office structure and work mentality. Of course the recent work-from-home trend caused by COVID-19 has slowed or halted ABW progress, but when employees begin coming back to work later this year or next, the ABW environment (or some version thereof) may be the new normal for some.

The export compliance officer should be aware of how to mitigate and protect against ABW risks. In this article I address such risks and measures that should be taken to sufficiently mitigate against export compliance violations in an ABW environment. Finally, since so many of us currently work from home, I’ll address how to prevent export compliance violations in the work-from-home environment.

Export Compliance Risks in ABW Environments

First, a quick review for context: A deemed export encompasses the release of U.S.-controlled technology and information to a foreign national (a non-U.S. person). Depending on the classification of the technology and the nationality of the recipient, an export license or other authorization (e.g., license exception TSR) may be required. Companies dealing in U.S. export-controlled technologies may be required to restrict access to certain employees, contractors, interns, etc., in order to avoid an unauthorized deemed export.  Deemed exports can occur via almost any means of communication or access, including but not limited to: telephone conversations, email and fax communications, sharing of computer data, briefings, meetings, training sessions and site tours.                                                     

Having an open and collaborative ABW environment is becoming increasingly important and common for many companies in the U.S. and abroad. However, in some cases, the deemed export rule demands that restrictions or conditions be placed on the ABW environment to comply with export control requirements that prevent unauthorized access to sensitive U.S. technology. This consideration is applicable within and outside U.S. borders, as the extraterritorial scope of U.S. export controls mean that deemed export rules apply anywhere in the world where U.S.-controlled technology is being openly developed or discussed.

physical security controls and access restrictions may be necessary in an ABW environment. With an understanding of the risks involved, below is guidance to mitigate (and hopefully prevent) export compliance violations in an ABW environment. 

Use These Rules to Mitigate ABW Risks 

To efficiently mitigate the risk of export compliance violations in an ABW environment, consider implementing specific guidance, such as the following:

• The development, discussion or review of U.S. export-controlled technology shall be consolidated into segregated rooms, conference rooms or other designated areas.  
• Non-authorized individuals (non-U.S., unlicensed employees) shall not work in, access nor congregate in or near such segregated rooms, conference rooms or designated areas.
• Segregated rooms, conference rooms or other designated areas in which U.S. export-controlled technology is being developed, discussed or reviewed shall be: 
1. Visually inaccessible via walls or partitions. 
2. Sound proof or sound resistant. 
3. Visibly marked as an export-controlled room/area via signage. 
4. Physically inaccessible (e.g., badge access) by non-authorized individuals.
5. As far from unauthorized persons as possible in order to prevent such persons from overhearing export-controlled discussions.
• Employees in segregated areas shall make use of privacy screens, lock their computer screens when not in use, clean whiteboards after use and keep sensitive documentation locked away when not in use.

In addition to the guidance above, authorized employees (U.S. persons or licensed foreign nationals) and unauthorized employees (unlicensed foreign nationals) should be trained and provided guidance such as the following:

Roles and Responsibilities of Authorized Employees

• Do not grant access to areas of the site that are restricted to unauthorized persons.
• Do not allow unauthorized persons to view your computer screen.
• Do not move or rename files in such a manner that would allow unauthorized persons to gain access to export-controlled information.
• Do not email or otherwise transfer export-controlled technology to unauthorized persons.
• Do not share your passwords, access codes or badge with anyone.
• Use privacy screens, lock computer screens, clean whiteboards and keep export-controlled documentation locked away when not in use.
• Report any concerns or potential violations to site security and/or export compliance.

Roles and Responsibilities of Unauthorized Employees

• Do not attempt to gain access to areas of the site to which you are restricted.
• Do not congregate in or near areas where export-controlled technology is being developed, discussed or openly reviewed.
• Report any concerns or potential violations to site security and/or export compliance.

The preceding represents just some of the potential guidance to consider implementing. A number of factors may create the opportunity for more lenient guidance or the need for stricter access controls. These include:

• The site layout.
• The number and location of unauthorized employees on-site at any given time.
• The existence of on-site security measures (e.g., a badge system with secure doors) that are properly implemented, documented and audited.

Finally, be prepared to receive pushback when attempting to implement physical access restrictions in an ABW environment. Work with management and internal stakeholders ahead of time to inform them of export compliance risks and to request their input and suggestions to develop guidance that adequately balances competing interests.

Work-from-Home Considerations 

Due to COVID-19, many employees at your company may be working from home on a temporary or long-term basis. These employees are likely bound by non-disclosure agreements (NDAs) or related agreements and policies with respect to the protection of sensitive and/or proprietary information that they have access to with their jobs. As the export compliance officer for your company, you can use these established agreements and policies as a baseline: Many of the recommended or mandatory behaviors in such agreements and policies overlap with best practices in the protection of export-controlled information. If agreements and policies don’t already exist, join forces with relevant internal stakeholders (IT security, legal, etc.) to draft and implement them. A few best-practices might include the following:

• Do not to share sensitive, proprietary or export-controlled controlled information with anyone in the employee’s household.
• Restrict visual access to the employee’s laptop screen and/or documentation that contains sensitive, proprietary or export-controlled information.
• When not in use by the employee, lock up laptops and documents containing sensitive, proprietary or export-controlled information.
• Contact IT security or export compliance if the employee has any concerns or questions as it relates to her/his work-from-home environment.