On October 8, 2014, the Department of Commerce’s Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List.

Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations.

We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries (e.g., Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS’s treatment of violations of the encryption regulations.

Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies — a message that BIS seemed intent upon making in its announcement.

Encryption is ubiquitous in software products. Companies making these products should reexamine their product classifications, export eligibility, and internal policies and procedures regarding the export of software that uses or leverages encryption (even open source or third-party encryption libraries), particularly where a potential transaction on the horizon — e.g., an acquisition, financing, or initial public offering — will increase the likelihood that violations of these laws will be identified.

If you would like additional information about the issues addressed in this Client Alert, please contact Rich Matheny, who chairs Goodwin Procter’s National Security & Foreign Trade Regulation Practice, or the Goodwin Procter attorney with whom you typically consult.