This week the U.S. Department of Justice (DOJ) and Netcracker Technology Corporation (NTC) announced that they had settled charges that NTC had violated U.S. controls on foreign access to sensitive data. The settlement underscores many of the export control and related compliance risks surrounding the provision and use of cloud computing services and global networks. At the same time, the Enhanced Security Plan issued by NTC and DOJ as part of the settlement provides a helpful set of benchmarks and best practices for companies that may be considering the use of cloud services and network infrastructure to house and transmit their most sensitive data.
According to DOJ’s settlement announcement, NTC had worked as a subcontractor on two federal government contracts with the Defense Information Systems Agency (DISA), a combat support agency of the U.S. Department of Defense (DoD), and performed some product support work from locations outside the United States, including Russia. DOJ alleged that by failing to maintain adequate controls on the cloud and network infrastructure supporting these contracts, NTC had threatened the security of sensitive data about individuals, DoD projects, networks and critical U.S. domestic communications infrastructure. DOJ further asserted that uncleared NTC foreign national employees in Russia and Ukraine worked on the DISA projects and were aware of the sensitive nature of the projects and the data stored and transmitted through the network managed by DISA.