Feds Fine Boeing $51 Million for ITAR Violations
For decades the DoJ seemed to be ignoring cybersecurity failures on the part of even large companies. That has changed. DoJ has started up an entire bureau for going after companies that ignore the rules.
Recently they fined Booz $335 million for False Claims Act violations.
Last week they announced they are going after Georgia Institute of Technology for DFARS violations.
Now they have issued a press release announcing that Boeing is going to pay a $51 million fine for ITAR violations. ITAR is a set of regulations that addresses the export, even accidentally of military-related data, even to friendly countries or even to your employees who are not in the United States.
They apparently have dozens of these cases under review.
Here are the details.
- THERE WAS NO BREACH. Often, the feds go after companies when they had a breach. That is not the case here.
- The DoJ says Boeing shared data non-US persons at multiple Boeing and partner facilities outside the US. Doing that constitutes an illegal export under ITAR.
- They also say that employees in 18 countries, including Russia and China, downloaded ITAR data.
So what does Boeing need to do?
First, they can use $24 million out of the $51 million to improve their security – as long as the State Department approves the expenditure in advance. Think of the State Department being your new CFO or Comptroller.
The agreement goes for three years and will be overseen by a special compliance officer.
They will be required to undergo two external ITAR compliance audits during that period.
Boeing has nine months to beef up its ITAR and AECA resources.
The new rules apply to any new Boeing acquisition and if they sell a business unit, the consent decree compliance requirements are part of the sale. They have to notify the government in advance if they plan to sell any business units.
The special compliance officer will oversee implementation of the new security practices including preventing and detecting violations, screening of persons not authorized to access ITAR controlled data, maintaining records and other things.
The good news is that no Boeing executives are going to jail. It seems like this was really due to poor policies and procedures. However, under ITAR regulations, if DoJ thought these data leaks were willful, Boeing executives could be guests of the federal government’s most secure hotels.
If you are unsure of your ITAR and AECA compliance, now would be a good time to review your practices. If you need help with that, please contact us.
Credit: Compliance Week