Light Dark
July 26, 2016 By Christopher Burgess 3 min read
CISO

Every country has its own rules and regulations, and companies engaging in international business will undoubtedly encounter multijurisdictional compliance issues. Companies with offices in multiple countries will be exposed to even more multijurisdictional compliance issues, which sometimes turn into conundrums.

This conflict can be mitigated, but it cannot be ignored.

Multijurisdictional Compliance in the U.S.

In the U.S., there is a plethora of rules and regulations surrounding the conduct of commerce. When doing business abroad, a U.S. company must observe both domestic regulations and those of the country in which it plans to do business.

For example, companies that develop advanced technologies, such as encryption devices or methodologies, should fully understand the ramifications of the Department of State’s International Traffic in Arms Regulations (ITAR) and Arms Export Control Act (AECA), as well as the Department of Commerce’s Export Administration Regulation (EAR), which regulates the export of technologies prior to sharing them with national employees or business partners from other countries.

Similarly, the Department of Justice’s Foreign Corrupt Practices Act (FCPA) comes into play for every company or person who conducts commerce within the U.S. With respect to the FCPA, the anti-bribery provision is especially important to understand.

Organizations from foreign countries doing business in the U.S. must comply with the U.S. International Trade Commission’s Sec. 1337 – Unfair practices in import trade so as not to run afoul of import regulations. According to the USITC, there have been more than 25 complaints in the past 90 days of unfair business practices by foreign entities.

Compliance Abroad

Companies conducting business abroad should be mindful not only of the laws and regulations of the U.S., but also those of the country in which they wish to operate. For example, companies operating in the European Union must handle data derived from customer engagement and employee information in accordance with EU privacy laws. This may require separating European data from U.S. data as different laws and regulations come into play.

Multijurisdictional compliance issues may also arise when a company attempts to transfer an individual from one foreign office to another. Is this individual eligible to work in the destination country? Will a special work visa be possible? A company’s desire to transfer the best employee for the job may be upended by the rules and regulations of the particular country. Thus, every entity must understand the legal requirements for the entire employee workforce in each locale, including the U.S.

Awareness and Education

Even after navigating the maze of regulations, companies must take cultural differences into account. Business practices differ from one locale to another, as do the cadence and manner in which commerce is conducted.

These cultural differences may, as noted above, place employees or companies in ethical dilemmas. Companies can avoid the FCPA and minimize ethical conflict by training employees to recognize the nuanced differences between the business methodologies and cultural mannerisms of different countries.

Once it obtains permission from the Department of State and Department of Commerce to share advanced technologies with a specific entity or person abroad, the company must educate its custodians that this permission does not extend beyond the specifics. If a company shares this data in an email to all members of a global team when the permission was for only the members of the team in a specific locale, it may find itself in a noncompliant status.

In 2012, for example, the Department of State announced that a company in the U.S. and its Canadian subsidiary were fined $75 million for the unauthorized disclosure of technology to a foreign government. On June 20, a separate U.S. company was fined $100,000 for violation of ITAR and AECA when it allowed technology to be obtained by an individual from a proscribed country. The individual was an employee of the company but was of a nationality that was proscribed from accessing the data due to its classification as advanced technology.

In both of these instances, the companies were found to be noncompliant even though the data was only accessed by company employees. Thus, it behooves all companies to understand the 360-degree compliance matrix when dealing with export regulations. Business practices, data access, privacy and ethics will go a long way toward keeping the train of commerce squarely on the rails.

 |  | 
Christopher Burgess
CEO at Prevendra

More from CISO
December 30, 2024

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

December 13, 2024

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

December 11, 2024

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature