Outsourcing of biologic manufacturing, testing, and engineering is rapidly expanding, but international collaboration carries with it critically important U.S. and European export control requirements that are new to many biotech companies. Export control regulations govern shipments of military items and less sensitive “dual use” biological material, including certain human, animal and plant pathogens, toxins, and genetically-modified organisms. The regulations also cover exports of certain chemicals, materials (such as metals, graphite, and many others), and biomedical and chemical handling equipment (storage tanks, reactors, pumps, valves, etc.) sent abroad.

Perhaps most importantly for the contracting industry, certain scientific “know-how” requires an export license for shipment to non-U.S. locations or for releases to foreign persons, even if they are in the U.S. Thus, teaching a contracting company how to make certain items or perform certain tasks, whether in the U.S., India, China or elsewhere, may require an export license from the U.S. government. It may seem odd, but it is absolutely true that know-how shared with certain foreign persons located in the U.S. — for example, employees, contractors, and visitors — may require an export license from responsible U.S. agencies.

A surprising number of products and technologies are controlled for export, and assuming that your products are not controlled for export is a dangerous gamble. Recently, the know-how that went into creating a laboratory-made version of the bird flu drew the attention of the U.S. government and World Health Organization, raising significant national security concerns. Genetically-modified products are also getting more attention, too. Legislation introduced in the U.S. Senate in late 2011 would prohibit the transfer, sale, or possession of genetically altered salmon or other marine fish, or products containing such fish, inside or outside of the U.S. These types of issues are just the tip of the iceberg relating to export control concerns for the contract biological and pharmaceutical industry.

The proliferation of biological and chemical weapons is still seen as one of the major threats against U.S. national security. As the threat of proliferation rises, regulating agencies and their enforcement arms are taking a much closer look at how and where materials and equipment are being sent, how information is being shared, where it is stored — Where is your server located? Do you use the cloud? — and who has access to the data.

To properly deal with export control regulations, companies must have a compliance program in place, and in particular, they must take a systematic approach to accurately classify their products and technologies under very specific regulatory classification lists. It is impossible to know whether an export license is needed without engaging in this classification process. Those who ignore these rules do so at the risk of significant penalties for their companies and perhaps for themselves. For example, a 74-year old former professor at the University of Tennessee recently started serving a significant prison term for releasing export controlled know-how to two foreign students. (See bit.ly/HP2ngS)

Penalties for violating these rules have included criminal charges against companies and individuals, including jail time, and may include civil penalties of as much as $1,000,000 per export or technology release, depending on the circumstances. Under-standing the export control rules is critical for U.S. biotechnology companies that outsource manufacturing and services, and complying with them is the only way to protect the business and its employees. This article discusses some of the challenges companies face in this area and how to deal with them. 

Setting the Stage
The biotechnology world is driven by regulations. Companies have compliance systems to deal with FDA, USDA, CDC, HHS, and multiple other agency regulations for the handling and transfer of products and technology within the U.S. Yet few companies in the industry have the type of export control system they need to handle the risks that are presented by the materials they handle, the equipment they use, and the know-how they generate, export and share. How should your company (and you personally) be thinking about export controls?

The first place to begin is to understand where export controls fit into the biotechnology industry. Some of the most common export activities in the biotechnology field are those that accompany contract service relationships well known to the outsourcing sector, such as the shipping of sample materials and equipment (even storage equipment for those samples) to contract laboratories outside the U.S.

In addition to physical exports, the transfer of technology incident to a contracting agreement can also trigger export controls. Technology — or “know-how” for the development, production, or sometimes use of a controlled product — will be discussed in more detail later, but it is important to understand for now that international collaboration in the biotech field very often involves the sharing of technology, which can appear in both tangible forms of information (such as written research reports that can be secured under lock and key), and intangible forms (such as certain speech, calculations or specifications known to a company’s scientists). In both cases, it is easy to share such technology unwittingly in violation of the applicable regulations, if one is not properly trained. Technology can be released to another person, including a contractor outside of the U.S., in any way: through a document attached to an e-mail or faxed, by showing the technology to another, or by orally transmitting information through a telephone call or in-person conversation. Note that export control violations are strict liability — one does not need to know the regulations or even know that the regulations exist for an error to count as a violation of law. Moreover, many U.S. rules extend to facilities and persons outside of the U.S.

Finally, a key area where export controls may affect your company is in international sales of your products. A market analysis company recently predicted that the global biotechnology market will surpass $320 billion by 2015. In an effort to recover from the U.S. economic crisis, many biotechnology companies are looking to increase profits by expanding to new sales territories. Thus, places such as India and China will not only become more popular as sites for contract manufacturing, but biopharma sales to those countries are anticipated to increase as well due to upward trends in manufacturing, research capabilities, income and population levels.

As we discussed in the introduction, the penalties for non-compliance with the regulations can include criminal charges and civil penalties against companies and individuals. In addition, companies that violate the regulations risk being denied contracts and funding from the U.S. government. This is a critical issue for companies that may be funded by government grants or wish to sell products to the U.S. government (drugs and other therapies paid for by Medicare, for example). Companies that are put on so called “denied party lists,” which have included several U.S. companies, can have trouble buying computers and other equipment from the increasing number of suppliers who screen their customer lists against these denied party lists.

In addition to potential multi-million dollar penalties, there is the risk of adverse publicity. No company wants a Google search to display its export control violations and associated penalties, particularly when coming into compliance with this additional set of regulations is not that complex. As discussed below, it takes some guided effort, but a good compliance system is not difficult to implement.

U.S. Export Control Regulations Overview
The U.S. Department of Commerce, Bureau of Industry and Security (BIS), and the U.S. Department of State, Directorate of Defense Trade Controls (DDTC) are the two agencies primarily responsible for control of most biotechnology goods and technology exports from the U.S. Other agencies — such as the Department of Energy, the Nuclear Regulatory Commission, Department of Defense, Department of Treasury’s Office of Foreign Assets Controls, and the U.S. Patent and Trademark Office — regulate other specific types of exports.

BIS administers the Export Administration Regulations, or EAR. The EAR covers “dual use” products, software, and technology that can be used for dual commercial and military or terrorist end uses.¹ For example, a hammer is a dual use item because it can be used for a standard commercial end use to hammer siding into a house but it could also be used by the military to repair a tank. Items that require BIS authorization to export to a particular destination are indicated on the Commerce Control List (CCL). The EAR also controls exports to certain individuals or entities, and for certain end uses.

DDTC administers the International Traffic in Arms Regulations, or ITAR, which controls military products (“defense articles”), software and technology.² DDTC also maintains a list of controlled items called the U.S. Munitions List (USML), but anything specifically designed or modified for a military end use is also controlled as a military item. A license from DDTC is required to export any USML item outside of the U.S. In short, this alphabet soup of acronyms means that companies may very well be subject to regulations that control products or services for export.

Biological-Specific Controls
On the dual use side, BIS regulates a collection of microorganisms, toxins, biological equipment, and related technology that has been determined through multilateral coordination with the Australia Group, an international regime made up of 41 country participants that seeks to stem the development of biological and chemical weapons through export control efforts. In addition to the Australia Group controls, BIS also controls the export of select agents in any form. Licenses are required to export many products and technologies outside of the Australian Group, which involves a large number of countries.

The particular controls affecting the biotechnology sector are primarily found in Categories 1 and 2 of the CCL. Each particular control is identified by an ECCN, or Export Control Classification Number. Thus, you should be aware of ECCN 1C351 (human pathogens), 1C352 (animal pathogens), 1C354 (plant pathogens), 1C360 (select agents), and 1C991 (vaccines). Each ECCN contains specific information regarding what materials are controlled for export, the reasons for the control (from which the export destinations requiring a license can be determined), and whether any license exceptions apply. For example, ECCN 1C351, controlling human pathogens, identifies a detailed list of viruses, rickettsiae, bacteria, toxins, and fungi, which are controlled under the Australia Group regime, the Chemical Weapons Convention, and for anti-terrorism reasons. As a result, a license is required to export an ECCN 1C351 item to any destination. In contrast, ECCN 1C991, which includes certain vaccines, immunotoxins, medical products, and diagnostic and food testing kits, is controlled generally for anti-terrorism reasons, and to a more limited group of countries than 1C351 items. In short, the level of control is lower, and, thus, there are many more destinations to which an ECCN 1C991 item can be exported without a license.

Additionally, ECCN 1C353 controls genetically modified organisms. It should be noted that the application of ECCN 1C353 is somewhat different from other biological controls because it focuses on nucleic acid sequences associated with the pathogenicity of any organism on the CCL.

In other words, it controls exports of genetic elements — chromosomes, genomes, plasmids, transposons, vectors and the like — that contain nucleic acid sequences of CCL-controlled organisms and other organisms containing those sequences. Within Category 2, which generally governs materials processing products, software and technology, ECCN 2B352 controls equipment capable of use in handling biological materials.

On the military side, DDTC controls certain chemical and biological agents and associated equipment that have been or could be weaponized within Category XIV of the USML. Category XIV(b) controls “[b]iological agents and biologically derived substances specifically developed, configured, adapted, or modified for the purpose of increasing their capability to produce casualties in humans or livestock, degrade equipment or damage crops.” Category XIV(h) controls “[m]edical countermeasures, to include pre- and post-treatments, vaccines, antidotes and medical diagnostics, specifically designed or modified” for use with the biological agents described above. Another provision of Category XIV controls equipment specifically designed or modified to dispose of such biological agents. All USML exports and transfers of associated technical data to foreign persons in or outside the U.S. require export licenses.

Biological-Specific Controls: Technology
Both the EAR and ITAR also govern the export of controlled technology. Under the EAR, technology is the information that is required for the development, production or (in some cases) use of a controlled item listed on the CCL that is controlled for export. There are also some kinds of technology that are controlled even when the associated product is not controlled (e.g., certain coating technologies). The specific definitions of development, production and use can be found in part 772 of the EAR, but it is sufficient to know that those definitions are very broad and include virtually all information used in product development and production. It can exist in a similarly broad array of formats, including but not limited to blueprints, drawings, calculations, machine tool routing instructions and other machining data, product finishing information, and testing procedures. Under military rules (the ITAR), technology, referred to as “technical data,” includes any information — classified or not — required for the design, development, production, manufacturing, assembly, operation, repair, testing, maintenance or modification of defense articles.³ Again, technology controlled by the EAR or ITAR requires a license for export to certain destinations (all under the ITAR) just like the export of the product that the technology is used to design, make, or use.

U.S. export control enforcement authorities take seriously controls on technology releases and vigorously enforce them. Think of it this way: one export of a controlled product like a fermenter capable of toxin production without the propagation of aerosols (controlled under ECCN 2B352) can be a violation of the regulations that permits an enemy of the U.S. to own and use one sensitive product. But the release of sensitive production technology for a controlled fermenter permits that enemy to manufacture an unlimited number of controlled fermenters for toxin production on a much bigger scale. For that reason, enforcement personnel often care more about technology exports than individual product exports.

Based on these same policy considerations, the rules prohibit the unauthorized transfer of technology to foreign persons even if they are physically located in the U.S. This type of technology release is called a “deemed export” because it is “deemed” to be an export to the foreign person recipient’s home country. The key to complying with the deemed export rule is to consider what must be restricted for foreign persons with whom your company shares information, such as a contracting laboratory outside to the U.S.: access to controlled technology. “Access” is extremely broad. Consider access to shared computer network drives where controlled technology is stored, SharePoint and other data-sharing programs or websites where controlled technology is uploaded, access to meetings and production areas, and unsecured technology left out on a desk or in an unlocked cabinet (even when a foreign person is simply visiting your facility). Do you have a foreign person or contractor working in your company as an IT system administrator (with unlimited access), for example?

Permissible access to controlled technology for a foreign person can come in several ways. First, “foreign person” is defined under the EAR and ITAR as any person who is not a U.S. citizen, U.S. permanent resident alien (Green Card holder), or “protected individual” under 8 U.S.C. § 1324b(a)(3). (Note that DDTC looks at birth country and not just most recent citizenship.) Therefore, a non-U.S. citizen would still be considered a “U.S. person” if he or she qualified as a permanent resident or protected individual, and would lawfully be able to access controlled technology as such. This may be useful for those companies hiring foreign person employees, but is unlikely to apply in the foreign outsourcing context.

Second, a foreign person may be able to access controlled technology based on the combination of the technology’s type or level of control and the foreign person’s home country. For example, a Canadian national would not require a license to access technology for the development of EAR-controlled biological materials handling equipment because of the specific levels of control that BIS has placed on that commodity and its related technology. In contrast, technical data for the design of any defense article controlled by the ITAR almost never may be released to a foreign person without a license.

Finally, if a foreign person is ineligible for access to EAR- or ITAR-controlled technology, the company may apply to the appropriate U.S. government agency for a deemed export license. In the case of a contract manufacturing relationship, both BIS and DDTC have procedures in place to obtain approval for technology-sharing and manufacturing agreements. Although the process for such approval can take some time, authorization will permit the transfer of technology within certain pre-set boundaries. These type of approved agreements can be very good options for biotech companies outsourcing their manufacturing activities to foreign facilities.

So on what types of controlled technology should the biotech sector focus? Starting again on the dual use side, ECCN 1E001 controls development or production technology for biological materials listed under ECCNs 1C351, 1C352, 1C353, 1C354, or 1C360. ECCN 1E351 controls technology for the disposal of the same. As used in the example above, ECCN 2E001 controls development technology or software for equipment listed under ECCN 2B352. ECCNs 2E002 and 2E301 control production and use technology, respectively, for the same type of equipment. Similarly, Category XIV of the USML controls any technical data or defense services⁴ related to the biological agents controlled by the same category.

The biotech industry may be able to take advantage of some available technology license exceptions that commonly apply to the science field. Both the EAR and the ITAR provide certain exceptions for publicly available technology. Under the EAR, publicly available technology that would ordinarily need a license for export to certain destinations does not require a license if it has been published and is generally accessible to the interested public (for example, if it is published in a scientific journal), if it arises from “fundamental research” — both basic and applied — where it would ordinarily be widely shared within the scientific community, or if it is shared through instruction in catalog courses and teaching laboratories of academic institutions.⁵ The ITAR also exempts from licensing requirements technical data that is in the “public domain,” meaning generally accessible or available to the public, and including technical data made available through certain fundamental research.⁶

So there are exceptions to the technology controls, but many companies rely too heavily on these exceptions. Here is a good, practical test of whether your know-how is potentially controlled for export or whether it is subject to an exception because it is publicly available or in the public domain: Would you give your know-how to your company’s competitors? If you are willing to publish your know-how on your website for any and all to view, including your competitors, then your know-how may in fact be publicly available. But if you ask most companies if they are willing to do post such information, they react with horror. That is a reliable sign that a company considers its know-how to be business confidential information that would not be freely shared.

Non-public information that could be used to teach someone how to develop, produce or, in some cases, use an export-controlled item may well be export-controlled technology. If it is, then exporting it or releasing it outside the U.S., or inside the U.S. to certain foreign persons, can require an export license. As discussed, it is no joke that failure to obtain a required export license can lead to significant penalties.

Companies simply cannot afford to continue putting their heads in the sand and hope that no one will catch them. This is particularly true when:

• Export enforcement personnel in nine regional BIS field offices continue to visit companies to check on specific shipments and compliance programs,
• Hundreds of Immigration and Customs Enforcement special agents and the FBI ramp up export control enforcement cases and seizures, and
• New entities designed to focus coordination of export control laws are being announced and unleashed (see this March 7, 2012 White House announcement, for example: 1.usa.gov/HDM0kb). 

In the face of the increased focus on the biotech industry and the doubled and redoubled efforts to enforce these laws, companies need to review their products, equipment and technology and classify them to determine if they are controlled for export. Assuming your products are not controlled is a recipe for disaster. For example, swim fins, ball bearings, generators, certain ingredients for cosmetics, horses, computers, lubricants, western red cedar, industrial pumps, and steel plate are among the many, many items controlled for export. So how likely is it that one of your company’s biotech products or a sophisticated piece of production equipment is controlled for export? If any are, your company needs an export compliance system. Even if they are not and you export, you need a compliance system to deal with denied party issues and accurate export paperwork submissions to the U.S. government.

Compliance Tools
Consider getting help from qualified export compliance counsel that can protect confidentiality and attorney-client privilege as you develop your compliance system, in the event a potential past issue is discovered. The first activity any company should undertake is risk assessment: ask yourself whether a compliance system is needed. As described in this article, the chances are quite good that even one of your products and/or equipment is controlled, especially in the biotech sector. Further, U.S. companies that outsource or enter into international collaborative relationships must also consider their risks for violations on the part of their foreign partners. Potential liability for the activities of foreign subsidiaries, branches, or joint ventures varies, should be carefully considered. Do not forget that many U.S. laws apply abroad, and EU countries and others — including India and China — have their own export control laws.

To deal with these controls, companies must have a compliance program in place, and in particular, they must take a systematic approach to classify their “core” and “non-core” products and technologies accurately under specific regulatory classification lists. It is impossible to know whether an export license is needed without conducting this classification process.

Here are selected examples of certain key elements that every solid export compliance system needs.

Export Compliance Manual: An export compliance manual (ECM) serves as the fundamental base line for a company’s export compliance system. It should be tailored to the company’s business, and should also include simple day-to-day desktop procedures and checklists to ensure proper implementation of the manual’s policies. The ECM should also include sales procedures for product exports that include processes for “denied party” screenings to identify any individuals or entities with whom BIS, DDTC, the U.S. Treasury Department, or other government agencies prohibit U.S. persons from doing business. It should also establish procedures for product export license applications. Depending on the product and destination, an export license may take weeks to several months for approval. Thus, an internal system should allow the company to plan ahead and keep business running without significant delay.
Your company’s ECM should also address the procedures for the required U.S. Census Bureau export filing (also known as the Automated Export System, or AES). The U.S. government now forces companies to use an automated system to report every export above $2,500. That system makes it easy for the U.S. government to search for denied parties that are part of export transactions and to catch potential export violations. They are using the system to check the accuracy of export classifications and other information reported to the government. Do not forget that the information reported is certified to be accurate under penalty of perjury. (bit.ly/I9pnGb). How accurate is the information reported to the government for your company’s exports?

Technology Control Plan: Any company that produces or otherwise deals with controlled products, software, or technology should have in place a technology control plan (TCP) that deals with the issues particular to identifying, tracking, and securing controlled technology. The TCP should address how to handle electronic forms of controlled technology by identifying weaknesses in and solutions to a company’s information technology (IT) system — particularly important when information is being shared with foreign collaborators through virtual access points. It should also set forth physical control procedures in addition to these virtual ones.

Those companies that hire foreign persons in the U.S. — increasingly common in the biotech sector, which draws from the talent pools in India, China, and other Asian and non-Asian countries — should also carefully consider how export controls affect hiring decisions. For example, if a particular position requires access to controlled technology (i.e., researcher or laboratory technician), and a foreign person is hired for that position, the company must be prepared to apply for a deemed export license at the earliest possible date if required. Deemed export license applications may take as few as three and as many as eight weeks (or longer) for approval, and approval is not guaranteed. The company must also be cognizant of U.S. anti-discrimination rules that prohibit consideration of a person’s nationality or citizenship during certain stages of the hiring process, and how that will affect the company’s ability to plan for deemed export compliance. The TCP should address these issues and provide procedures for navigating this tricky area.

The policies and procedures set forth in the ECM and TCP are the cornerstones of a strong export compliance system. Having such a system in place demonstrates responsible corporate governance to not only the U.S. export enforcement authorities who may visit your facility, but also to customers and the broader market.

Training: While an export compliance manual and technology control plan are procedural cornerstones, there is no compliance system without implementation. U.S. export enforcement authorities expect a compliant company to train its employees in the relevant export controls and procedures, and keep regular records of such training.

Internal Review Program: A well-functioning export compliance system should also include internal audit and monitoring procedures to identify system deficiencies and address them in a timely fashion to avoid inadvertent export violations.

Responsible Individual(s) and Dealing with Potential Violations: Company management should support and elevate an individual or group of individuals responsible for maintaining and implementing the company’s export compliance system. This individual should manage not only day-to-day export compliance, but also serve as the point person for potential violations, both in identifying such potential violation and responding. It is important not to assume that there has been a violation. The company should gather the facts, analyze, and consult with experienced, qualified export control attorneys to determine if there is an issue.

As the threat of proliferation rises, regulating agencies and their enforcement arms are taking a closer look at how and where biological materials and equipment are being sent, and how related information is being shared. U.S. biotechnology companies must be sure they have export compliance procedures in place to protect their business and employees while maintaining the competitive advantage gained from outsourcing.  

References

1. 15 C.F.R. § 730, et seq.
2. 22 C.F.R. § 120, et seq.
3. 22 C.F.R. § 120.10
4. 22 C.F.R. § 120.9 (assistance to foreign persons in the design, development, engineering, manufacture, assembly, production, testing, repair, maintenance, modification, operation, demilitarization, destruction processing, or use of defense articles).
5. See 15 C.F.R. §§ 734.3(b)(3), 734.7, 734.8, and 734.9.
6. 22 C.F.R. § 120.11.

---

Eric McClafferty is a partner in Kelley Drye & Warren LLP’s Washington, D.C. office. His international trade practice includes extensive experience in export controls and compliance, and Foreign Corrupt Practices Act (FCPA) matters. He can be reached at EMcClafferty@kelleydrye.com.
Brooke Ringel is an associate iwith Kelley Drye & Warren LLP. She has experience in a variety of international trade matters, with a particular focus on export controls, classification, and compliance. She can be reached at BRingel@kelleydrye.com.