Cloud computing – it’s all the rage! Seems like almost everyone is using it. This and digital data storage on remote servers are services that are being promoted as ways to reduce costs as well as to leverage computational capabilities and to facilitate digital data sharing. Generally speaking, cloud computing refers to the use and access of multiple server-based computational resources via a digital network such as the internet. Remote storage refers to services limited to storage and backup of digital data on a third-party server. A third-party server is something that is owned and maintained by someone other than the University.

Traditionally, Department of Commerce’s Bureau of Industry and Security (BIS) had advised the transmission and storage (outside of the U.S.) of technology or software controlled under the Export Administration Regulations (EAR) constitutes an export or re-export. Therefore, such transmission or storage could potentially trigger a licensing requirement. Due to the Export Control Reform initiatives and the ever-changing industry of cloud computing and security, the United States government instituted changes for transmission of controlled data for institutions, private and government sectors.

• Revisions to the Export Administration Regulations
• Encryption and Contractual Obligations

• Understand ALL the terms of the agreement you and your project are subject to. If you do not understand these terms, contact the project PI or department administrator. The General Counsel’s office will also be able to explain legalese in simple terms as well.
• Do not store technology or technical data that is export controlled, or considered proprietary or confidential, outside UM servers. If the data is not public knowledge, do not use cloud computing or remote storage services.
• Increase the security of your data by adding passwords or encryption to access. Doing this does not mean that it is okay to use cloud computing or remote storage services for your export controlled, confidential or proprietary technology or files.
• Before entering into agreement with a cloud provider, first check with the University Information Technology department to see what resources are already available.
• If no other University resources are available to meet your needs, before entering into an agreement with the service provider, ask the following:
  • Where are the servers and routers located? (Get at minimum city, state, country)
  • Ask the provider to highlight in the agreement the measures they have in place to prevent unauthorized foreign nationals from accessing controlled technology and software wherever located.

These are hypothetical questions and should not be considered absolute answers or legal advice. Each and every situation should be consulted individually with the appropriate representatives. This section is only meant to provide some additional guidance.

• I am traveling internationally, but I am a U.S. Permanent Resident, is accessing my files from the digital storage server which is located in the U.S. still considered an export?

  Yes. It does not matter that the files are in your account. You are still located in another country and thus you have ‘exported’ the files you access to another country.

• What if I am a national of India and the servers are located in India, when I travel to India would it still be considered an export?

  Probably so, since the files were created while you were in the United States and your account is associated with the University of Miami which is in the United States. Further clarification would need to be addressed with the proper Government agency.

• How am I to share data with my colleague who is in another country if I cannot use these services because the information is too sensitive?

  If the information is not public knowledge then you should not be using these services at all for your project. Before sharing the information or technology, make sure there are no export restrictions tied to it. Review the terms of the contract / award / grant and then contact the University’s Director, Export Control Compliance for assistance.

• The agreement with the service provider on the remote storage provider stated that my files will be protected. What do I do if their system is compromised and my sensitive information is stolen?

  As stated earlier, if it is not public knowledge do not use servers that are not owned and maintained by the University. You must read the terms of the agreement carefully. What the provider has probably stated in the agreement is they have a process in place should the system be compromised. Yet, their marketing scheme states that your files will be protected. What you agree to and what they advertise are two different things. No system is 100% secure – even Fort Knox has had a breach in security. This is why it is being stressed that nothing other than what is already considered public knowledge be stored or shared by these online services.

• The University’s IT Department will not expand our server capacity or give us more room on our shared drives, what are we supposed to do?

  Many shared drives have a large amount of old files on them that are no longer needed. However, some of these files may also need to be retained for record-keeping purposes. Transfer these files onto a department external drive that is kept secure in your department’s repository. Making this a part of your department’s annual process will ensure that unused files are not taking up storage space that is needed for current activities. In most cases, this resolves the shared drive space issue. Otherwise, the head of your department needs to pursue this issue with the administrators who have the authority to make the changes in order to meet your departmental needs.