Light Dark
July 26, 2016 By Christopher Burgess 3 min read
CISO

Every country has its own rules and regulations, and companies engaging in international business will undoubtedly encounter multijurisdictional compliance issues. Companies with offices in multiple countries will be exposed to even more multijurisdictional compliance issues, which sometimes turn into conundrums.

This conflict can be mitigated, but it cannot be ignored.

Multijurisdictional Compliance in the U.S.

In the U.S., there is a plethora of rules and regulations surrounding the conduct of commerce. When doing business abroad, a U.S. company must observe both domestic regulations and those of the country in which it plans to do business.

For example, companies that develop advanced technologies, such as encryption devices or methodologies, should fully understand the ramifications of the Department of State’s International Traffic in Arms Regulations (ITAR) and Arms Export Control Act (AECA), as well as the Department of Commerce’s Export Administration Regulation (EAR), which regulates the export of technologies prior to sharing them with national employees or business partners from other countries.

Similarly, the Department of Justice’s Foreign Corrupt Practices Act (FCPA) comes into play for every company or person who conducts commerce within the U.S. With respect to the FCPA, the anti-bribery provision is especially important to understand.

Organizations from foreign countries doing business in the U.S. must comply with the U.S. International Trade Commission’s Sec. 1337 – Unfair practices in import trade so as not to run afoul of import regulations. According to the USITC, there have been more than 25 complaints in the past 90 days of unfair business practices by foreign entities.

Compliance Abroad

Companies conducting business abroad should be mindful not only of the laws and regulations of the U.S., but also those of the country in which they wish to operate. For example, companies operating in the European Union must handle data derived from customer engagement and employee information in accordance with EU privacy laws. This may require separating European data from U.S. data as different laws and regulations come into play.

Multijurisdictional compliance issues may also arise when a company attempts to transfer an individual from one foreign office to another. Is this individual eligible to work in the destination country? Will a special work visa be possible? A company’s desire to transfer the best employee for the job may be upended by the rules and regulations of the particular country. Thus, every entity must understand the legal requirements for the entire employee workforce in each locale, including the U.S.

Awareness and Education

Even after navigating the maze of regulations, companies must take cultural differences into account. Business practices differ from one locale to another, as do the cadence and manner in which commerce is conducted.

These cultural differences may, as noted above, place employees or companies in ethical dilemmas. Companies can avoid the FCPA and minimize ethical conflict by training employees to recognize the nuanced differences between the business methodologies and cultural mannerisms of different countries.

Once it obtains permission from the Department of State and Department of Commerce to share advanced technologies with a specific entity or person abroad, the company must educate its custodians that this permission does not extend beyond the specifics. If a company shares this data in an email to all members of a global team when the permission was for only the members of the team in a specific locale, it may find itself in a noncompliant status.

In 2012, for example, the Department of State announced that a company in the U.S. and its Canadian subsidiary were fined $75 million for the unauthorized disclosure of technology to a foreign government. On June 20, a separate U.S. company was fined $100,000 for violation of ITAR and AECA when it allowed technology to be obtained by an individual from a proscribed country. The individual was an employee of the company but was of a nationality that was proscribed from accessing the data due to its classification as advanced technology.

In both of these instances, the companies were found to be noncompliant even though the data was only accessed by company employees. Thus, it behooves all companies to understand the 360-degree compliance matrix when dealing with export regulations. Business practices, data access, privacy and ethics will go a long way toward keeping the train of commerce squarely on the rails.

 |  | 
Christopher Burgess
CEO at Prevendra

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature