Use of Cloud Storage/Sharing and Export Control

The United States’ export control laws forbid the unlicensed transmission of controlled items, software, and information to certain countries and with certain individuals.  These export control laws apply to controlled items even when transmitted primarily for storage or for further transmission purposes.   Storage and transmission computer cloud servers (such as Google and Box) can be located outside the United States or can be accessed by foreign persons employed by these companies.  As such, information that is transmitted electronically or stored on a cloud server is considered a deemed export, requiring UMBC to obtain a license and create plan to govern information use and access.

The Division of Information Technology has created data use guidance for UMBC personnel on what can and cannot be shared via the variety of cloud service products (e.g. Google, Box) that fall under UMBC’s purview.

Please note the following levels of data security:

    • Level 3. Information specifically designated as sensitive by laws, regulations, or contracts; such as financial and health records or research contracts;
    • Level 2. Personally identifiable information (e.g. SSN combined with number holder’s name) protected by Federal or state laws, or data requirements from research sponsors.
    • Level 1. UMBC proprietary institutional information; such as educational records protected FERPA or research contracts.
    • Level 0. Public Information not classified as level 1-3.

As such, Google is not approved for confidential data (levels 2 & 3 above). Since Google stores its data around the world and employs people around the world, ORPC and DoIT do not recommend that Google be used with export controlled data. By contrast, Box.com is approved for level 0, 1, and 2 data. This means that information such as SSNs and passport numbers can be stored in Box. While all Box.com data is currently stored in the USA, there is no guarantee that Box.com will always keep our data in the USA. There are also no guarantees that a foreign person will not be employed by Box.com and have an ability to access our data. Accordingly, Box.com is okay to use with data classified as level 0, 1, and 2, but we would would not recommend it for export controlled data.

For more information, please consult UMBC’s policy for the protection of sensitive information as well as DoIT’s data use guidance for more information. You may also wish to consult with Mark Cather, UMBC’s Chief Information Security Officer (CISO), who can be reached at 410.455.3783 or mark.cather@umbc.edu.

Contact the ORPC at compliance@umbc.edu with any further questions. For additional information or questions, please review the ORPC export control overview page.

return to Export Control site