By George W. Thompson
The Bureau of Industry and Security (BIS) and Office of Foreign Assets Control (OFAC) have released details of their penalties against Barracuda Networks, Inc. and its subsidiary in the United Kingdom for export control and sanctions violations.
Barracuda produces electronic security products in the United States, including software classified in Export Control Classification Numbers (ECCN) 5D002 and 5D992 and hardware in ECCN 5A002 due to their encryption functionality. The UK subsidiary markets Barracuda’s products in various foreign markets. 5D002 items are controlled for National Security (NS) and Antiterrorism (AT) reasons and 5D992 items for AT reasons. In either case, exports or reexports to Iran, Sudan and Syria are prohibited without a BIS license, which is unlikely to be forthcoming.
Also, of course, exports and reexports to Syria are prohibited under the BIS-administered embargo on that country, and those to Iran and Sudan by OFAC sanctions regulations.
Unlicensed Exports to Sanctioned Countries
Despite knowing of these prohibitions, Barracuda and its UK subsidiary sold the controlled items, including software updates, to purchasers in each of those countries. According to the BIS settlement order in the case, the companies knew their customers were located in these countries, and also were aware of the license requirement. Nevertheless, for unexplained reasons, they made the sales anyway. The violations included knowingly exporting the encryption items and acting with knowledge of a previous violation by subsequently providing the software updates.
Significant Penalties
Barracuda voluntarily disclosed the transactions to BIS and OFAC. Nevertheless, it was assessed a penalty of $1,500,000 by BIS, more than three times the value of the illegal exports. The OFAC penalty amount was $123,586, slightly less than one-third the value of transactions covered by that agency’s regulations.
Two things stand out about this case, in my view.
First, Barracuda seemed to have a schizophrenic approach toward BIS compliance. On the one hand, it obtained BIS encryption classifications and showed some awareness that Iran, Sudan and Syria were prohibited destinations. Even so, it and the UK company exported there knowing their customers were located in those countries. Either the compliance program was never circulated to the employees involved or they deliberately subverted it; the penalty announcements don’t address this point.
Second, the BIS penalty strikes me as relatively high in relation to the merchandise value, especially since the violations were voluntarily disclosed. That may be explained by the knowing violations and that they involved encryption items to embargoed destinations. The OFAC announcement, by contrast, notes the shipments with knowledge and absence of a sanctions compliance program and training as exacerbating factors, but characterized it as “a non-egregious case.” BIS seems to have considered the violations as more serious than did OFAC.
