There was a recent article written on a Slovakian company which had developed anti-virus software that was being downloaded in large numbers by users in Tehran. It is believed that the software was being utilized to secure the country’s networks against cyber attacks targeting Tehran’s nuclear program.
The problem with the Slovakian based company allowing downloads of this software in Iran is that they maintain offices in San Diego and therefore fall under U.S. jurisdiction for the administration of sanctions.
To complicate matters further, a former employee of the company, brought the large number of Iranian downloads to the attention of executives in San Diego who allegedly ignored the warnings of this employee. Furthermore, that same employee informed company executives that their software was being pirated and sold by street vendors in Tehran. Again, the company executives did not act upon the employees warnings.
According to the article, the company’s executives could have blocked downloads from computer locations in Iran by blocking Iranian IP addresses. However, they failed to do so. Moreover, the company fired the employee who had informed them of the Iranian downloads for policy violations related to printing the data he used for his analysis of the Iranian downloads.
The company has responded publicly by stating that they do not engage in business in sanctioned countries, however, they cannot stop illegal pirating and sales of their software in sanctioned countries.
The employee who was fired has provided evidence of these alleged sanctions violations to the Secret Service in San Diego, which told him they had provided the information to the United States Department of the Treasury Office of Foreign Assets Control (OFAC).
If the allegations of the employee are confirmed then this is a slam dunk case for OFAC and there will likely be a significant penalty. Not only is there the export of technology to Iran, the technology was also being utilized to secure Iran’s nuclear activities from cyber attack. Furthermore, the company’s executives were warned on multiple occasions by their former employee of potential sanctions violations and chose to turn a blind eye to what was occurring.
Two lessons can be learned here. First, be nice to your employees. You never know when one of them is going to become disgruntled enough to report you to the Feds for sanctions violations. Second, take potential OFAC violations seriously. Often times business people attempt to formulate some justification as to why their particular activities do not violate the sanctions because of such and such exemption or general license. While they might be right in some cases, the applicability of those exemptions and licenses to particular transactions are really for OFAC to determine. In those scenarios it makes sense to file a request for interpretative guidance to determine whether or not a particular activity is authorized under existing law. Otherwise, you may end up with only the “we can’t stop software piracy” defense, which I have difficulty believing will be very effective.
The author of this blog is Erich Ferrari, an attorney specializing in OFAC matters. If you have any questions please contact him at 202-280-6370 or firstname.lastname@example.org.