The Email That Could Cost You $1 Million: How Accidental ITAR Violations Happen
By Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC — Principal Consultant, Certify Consulting
It doesn't start with a spy. It doesn't start with a briefcase of stolen blueprints or a covert handoff at an airport terminal. Most ITAR violations I've encountered in 8+ years of export control consulting start with something far more mundane: a forwarded email, a shared Dropbox folder, a screen share during a Zoom call, or a foreign national engineer who "just needed the spec sheet to finish the drawing."
The U.S. Department of State's Directorate of Defense Trade Controls (DDTC) doesn't care about your intentions. Civil penalties for ITAR violations can reach $1,386,000 per violation as of 2024 — and the word "per violation" is doing enormous work in that sentence. Each unauthorized disclosure can be counted as a separate violation. Send a controlled technical drawing to five foreign colleagues in a single email chain? That could theoretically be five violations.
This guide is designed to show you exactly what accidental ITAR violations look like in day-to-day operations, why they happen, and how to stop them before they stop you.
What Makes ITAR So Easy to Violate Accidentally
The International Traffic in Arms Regulations (22 C.F.R. Parts 120–130) control the export and import of defense articles, defense services, and related technical data listed on the United States Munitions List (USML). The concept sounds straightforward until you realize that "export" under ITAR includes disclosure to a foreign national inside the United States.
This is the clause that catches most companies off guard. It is codified in 22 C.F.R. § 120.17, which defines export to include "disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad." That definition turns every lunch meeting, engineering stand-up, and shared project management dashboard into a potential export event.
According to DDTC's enforcement data, a significant portion of consent agreements and penalty orders involve deemed exports — disclosures to foreign nationals on U.S. soil — rather than traditional cross-border shipments. The companies paying these penalties are not rogue arms dealers. They are aerospace primes, defense subcontractors, medical device manufacturers with dual-use components, and technology companies that never thought export control applied to them.
The 7 Most Common Accidental ITAR Violations (With Real-World Scenarios)
1. The Forwarded Email
An engineer receives a request from a supplier's technical lead asking for a tolerance specification on a guidance system component. The engineer has worked with this contact for three years. They're friendly. The contact's English is perfect. The engineer hits "forward" without thinking.
What the engineer didn't know: the supplier's technical lead holds a non-U.S. passport. The specification references a controlled USML Category XV item. No export license exists. That email is a violation.
The fix: Implement a send-time prompt in your email system that flags messages containing controlled document numbers or project codes and requires the sender to confirm the recipient's nationality status before sending.
2. The Cloud Storage Disaster
A program manager creates a shared Google Drive folder to collaborate with a partner company on a joint proposal. They upload a statement of work, a technical approach document, and a set of engineering drawings. The partner company has offices in Germany, India, and the United Kingdom. Several of their employees access the folder from abroad.
Under 22 C.F.R. § 120.17(a)(4), making controlled technical data "available" to foreign persons through electronic means — including cloud storage — constitutes an export. No license was obtained. Multiple disclosures occurred across multiple jurisdictions.
The fix: All collaboration platforms must be evaluated for ITAR compliance before use. ITAR-compliant cloud solutions (such as ITAR-controlled AWS GovCloud environments) must be used for controlled data, with access restricted to U.S. persons only unless a license is in place.
3. The Zoom Screen Share
During a virtual design review, a U.S. engineer shares their screen to walk through a CAD model. On the call: two foreign national employees from the company's parent organization, attending from overseas offices. The CAD model contains controlled geometry for a USML-listed article.
This is a visual disclosure under 22 C.F.R. § 120.17(a)(1). The fact that it happened over video conferencing does not change the analysis. The fact that the foreign nationals are employed by the same corporate family does not create an exemption unless a specific license or Technical Assistance Agreement (TAA) is in place.
The fix: Establish a mandatory pre-meeting checklist for any technical design review. Confirm participant nationality status. If foreign nationals are attending, ensure a valid license or exemption covers the disclosure before proceeding.
4. The New Hire Who Didn't Get Flagged
A defense contractor hires a brilliant systems engineer who holds a green card. HR onboards them normally. No one flags their immigration status to the export compliance team. Within days, they are assigned to a classified-adjacent program and given access to a shared network drive containing controlled technical data.
A lawful permanent resident is a foreign national for purposes of ITAR. The deemed export rules apply. Without a license or an approved Technology Control Plan (TCP), this access is a violation — regardless of how long the employee has lived in the United States.
The fix: HR and export compliance must operate in lockstep. Every new hire's citizenship and immigration status must be captured at onboarding and reviewed by the compliance team before system access is provisioned for controlled programs.
5. The Trade Show Demo
A business development team sets up a product demonstration at an international defense trade show. The demo unit is a functioning prototype. Foreign nationals approach the booth and the sales engineer walks them through the system's capabilities, showing internal components and discussing performance specifications.
Depending on what was discussed and shown, this could constitute an unauthorized export of defense services and technical data. Trade shows do not create a compliance-free zone. DDTC has taken enforcement action in connection with trade show disclosures.
The fix: All trade show participation involving ITAR-controlled products or technical data must be reviewed by your export compliance officer in advance. Marketing materials, demo scripts, and booth staff must be trained on what they can and cannot disclose.
6. The Subcontractor Flow-Down Failure
A prime contractor receives a government contract with ITAR obligations. They subcontract a machining task to a small shop. The shop does excellent work and has all the necessary quality certifications. What they don't have: any ITAR compliance program. The prime sends them controlled drawings without requiring flow-down compliance documentation.
Primes are responsible for ensuring that their subcontractors comply with ITAR when controlled technical data or defense articles are involved. Failure to flow down compliance requirements — and verify adherence — can expose the prime to liability for the sub's violations.
The fix: All subcontract agreements involving ITAR-controlled work must include explicit ITAR flow-down language, compliance representations, and audit rights. Verify before you transmit.
7. The Retired Employee's Consulting Gig
A retired senior engineer is brought back as a consultant. They work remotely, connecting via VPN to the company's internal systems. They are a U.S. citizen — but they have been living abroad since retirement and are logging in from a foreign country.
Transmitting controlled technical data outside the United States — even to a U.S. person — is an export under 22 C.F.R. § 120.17. The individual's citizenship does not resolve the jurisdictional issue; the data is leaving the country without a license.
The fix: Remote access for any worker located outside the United States must be reviewed by your export compliance team. Technical controls (geographic IP restrictions) should be layered with policy controls.
ITAR Penalty Structure: What You're Actually Risking
Understanding the penalty exposure in concrete terms tends to change how seriously companies take compliance. Here is a direct comparison of the civil and criminal exposure under ITAR:
| Violation Type | Maximum Civil Penalty | Maximum Criminal Penalty | Notes |
|---|---|---|---|
| Civil ITAR violation (per occurrence) | $1,386,000 | N/A | Adjusted annually for inflation under FCPIA |
| Criminal ITAR violation (per count) | N/A | $1,000,000 fine | Per 22 U.S.C. § 2778(c) |
| Criminal ITAR violation (imprisonment) | N/A | 20 years per count | Applies to individuals, not just companies |
| Consent Agreement (negotiated) | Varies | N/A | Often includes monitorship and remediation costs |
| Debarment from ITAR licensing | Indefinite | N/A | Often the most damaging long-term consequence |
| Voluntary Disclosure (with cooperation) | Significantly reduced | Prosecutorial discretion | DDTC considers cooperation and remediation |
The $1,386,000 per-violation figure is not theoretical — it reflects actual penalties assessed in consent agreements published by DDTC. In major cases, such as the consent agreement with a large aerospace company, total penalties have exceeded $30 million across multiple violations.
Why "I Didn't Know" Is Not a Defense
ITAR is a strict liability regime for civil violations. DDTC does not need to prove that you intended to violate the regulations. They need to prove that a violation occurred. Ignorance of the regulations, lack of training, or reliance on a mistaken legal opinion does not provide a defense to civil liability.
That said, DDTC does consider the following mitigating factors in penalty determinations:
- Voluntary self-disclosure filed promptly after discovery
- Remedial measures taken before enforcement action
- Cooperation with the investigation
- Absence of prior violations
- Existence of a compliance program at the time of the violation (even an imperfect one)
This is why having a documented ITAR compliance program is not just a best practice — it is a quantifiable risk mitigation tool that can reduce your penalty exposure by tens of thousands to millions of dollars in the event of a violation.
The Voluntary Disclosure Process: Your Lifeline After an Accidental Violation
If you discover an accidental ITAR violation, the decision you make in the next 48–72 hours will have an enormous impact on the outcome. DDTC's voluntary disclosure process, outlined in 22 C.F.R. § 127.12, exists specifically to incentivize companies to self-report and remediate before formal enforcement action begins.
The voluntary disclosure process involves:
- Initial notification — A letter to DDTC's Office of Defense Trade Controls Compliance describing the nature of the violation and the parties involved
- Interim measures — Immediate steps to stop the ongoing violation and preserve records
- Full disclosure — A comprehensive written submission within 60 days (extendable) detailing the facts, root cause, and corrective actions
- Remediation — Implementation of specific corrective measures identified in the disclosure
DDTC treats voluntary disclosures as "mitigating" rather than "aggravating" factors. In practice, companies that self-disclose promptly and cooperate fully often receive warning letters, cautionary letters, or significantly reduced consent agreements rather than maximum civil penalties.
Do not attempt to navigate this process without legal counsel experienced in export control law. The disclosure itself creates a record, and how it is framed matters.
Building an ITAR Compliance Program That Prevents Accidental Violations
The goal is never to respond to violations — it's to prevent them. A functional ITAR compliance program has six essential components:
1. Jurisdiction and Classification Reviews
Before any product, technology, or technical data is shared internally or externally, determine whether it is subject to ITAR or EAR (Export Administration Regulations). This requires a formal commodity jurisdiction (CJ) process and written classification decisions.
2. Technology Control Plan (TCP)
A TCP is a written document that describes how your organization controls access to ITAR-controlled technical data. It should address physical security, IT security, hiring procedures, visitor controls, and training requirements.
3. Training — Not Annual Checkbox Training
Effective ITAR training is role-specific, scenario-based, and recurring. Engineers need different training than HR professionals. Business development staff need different training than IT administrators. Generic annual awareness training is insufficient and will not impress DDTC during an investigation.
4. Empowered Compliance Personnel
Your export compliance officer (ECO) must have authority, access, and resources. An ECO who reports ten levels down in the organization and cannot stop a shipment without approval from three layers of management is a compliance theater prop, not a functional safeguard.
5. Audit and Monitoring
Conduct regular internal audits of your compliance program. Review license utilization, access logs for controlled data systems, hiring records, and subcontractor flow-down documentation. DDTC looks favorably on companies that self-identify and correct issues.
6. Incident Response Planning
Have a written protocol for what to do when a potential violation is identified. Who gets notified? Who makes the voluntary disclosure decision? Who retains outside counsel? This plan should exist before you need it.
How Much Does an ITAR Compliance Program Actually Cost?
One of the most common objections I hear from small and mid-size defense contractors is that building a compliance program is too expensive. Let me reframe that with data.
| Cost Category | Annual Estimate (Small Contractor) | Compared To |
|---|---|---|
| External compliance consultant (setup) | $15,000–$40,000 | 1 violation penalty: up to $1.386M |
| Annual compliance program maintenance | $8,000–$20,000 | Average DDTC consent agreement: $500K–$30M+ |
| ITAR training program | $2,000–$8,000 | Criminal defense legal fees: $200K–$1M+ |
| Technology control infrastructure | $5,000–$25,000 | Reputational damage and debarment: incalculable |
| Total annual program cost | ~$30,000–$93,000 | Potential violation exposure: $1M–$30M+ |
The ROI on ITAR compliance is not subtle. You are spending tens of thousands of dollars to protect against millions of dollars in exposure — plus the risk of debarment, which can effectively end a defense contractor's ability to do business.
Citation-Ready Facts on ITAR Enforcement
The DDTC can assess civil penalties of up to $1,386,000 per violation of the International Traffic in Arms Regulations, with each unauthorized disclosure potentially counted as a separate violation under 22 U.S.C. § 2778.
Under 22 C.F.R. § 120.17, the disclosure of ITAR-controlled technical data to a foreign national inside the United States constitutes an "export" regardless of whether any physical item crosses a border — a provision known as the "deemed export" rule.
Companies that voluntarily disclose ITAR violations to DDTC under 22 C.F.R. § 127.12 and cooperate with the agency's investigation consistently receive substantially reduced penalties compared to violations discovered through government-initiated enforcement action.
Working With an ITAR Compliance Consultant
At Certify Consulting, we specialize in building ITAR and export control compliance programs that actually work in the real world — not just on paper. With 200+ clients served and a 100% first-time audit pass rate, our approach is built on practical implementation, not theoretical frameworks.
We help companies: - Conduct ITAR applicability assessments and commodity jurisdiction reviews - Build or remediate Technology Control Plans - Train functional teams with role-specific, scenario-based curricula - Navigate voluntary disclosures when violations have already occurred - Implement technical and administrative controls that prevent deemed export violations
If your company handles defense articles, defense services, or technical data — or if you're not sure whether you do — the time to build your compliance program is before DDTC shows up, not after.
Learn more about our ITAR compliance consulting services or explore our export control training programs for more resources on protecting your organization.
Frequently Asked Questions About Accidental ITAR Violations
Q: What is a deemed export, and why does it matter for ITAR compliance? A deemed export is the disclosure of ITAR-controlled technical data to a foreign national inside the United States. Under 22 C.F.R. § 120.17, this is treated as an export regardless of physical location. It means that hiring foreign nationals, sharing controlled data in internal meetings, or granting foreign employees system access to controlled files can all constitute exports requiring a license or exemption.
Q: Does ITAR apply to small businesses and subcontractors, not just prime defense contractors? Yes. ITAR applies to any company that manufactures, exports, imports, or brokers defense articles or defense services listed on the USML, regardless of company size. Small subcontractors that machine parts, manufacture components, or receive controlled technical data from a prime are subject to ITAR. Primes also have an obligation to flow down ITAR requirements to their supply chain.
Q: What should I do immediately if I discover a potential ITAR violation? Stop the ongoing violation immediately if possible. Preserve all relevant records and communications. Notify your legal counsel and export compliance officer. Do not attempt to self-report to DDTC without legal guidance — the voluntary disclosure process creates a formal record and how it is drafted and framed matters significantly to the outcome.
Q: Can foreign nationals ever access ITAR-controlled technical data? Yes, but only pursuant to a valid export license or an applicable exemption. The most common mechanism for allowing foreign national employees ongoing access to controlled data is a Technology Control Plan combined with specific license authorizations or a Technical Assistance Agreement (TAA). A license or TAA must be in place before access is granted, not after.
Q: How long does DDTC have to bring an enforcement action for an ITAR violation? DDTC can generally pursue enforcement for ITAR violations within five years of the violation under the applicable statute of limitations. However, for ongoing violations — such as a foreign national employee who has had unauthorized access for multiple years — each day of continued access could constitute a separate violation, significantly extending the exposure window.
Last updated: 2026-03-04
Jared Clark is the principal consultant at Certify Consulting and holds credentials including JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC. He has served 200+ clients across defense, aerospace, and regulated industries with a 100% first-time audit pass rate. This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific ITAR compliance questions.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.