Every country has its own rules and regulations, and companies engaging in international business will undoubtedly encounter multijurisdictional compliance issues. Companies with offices in multiple countries will be exposed to even more multijurisdictional compliance issues, which sometimes turn into conundrums.

This conflict can be mitigated, but it cannot be ignored.

Multijurisdictional Compliance in the U.S.

In the U.S., there is a plethora of rules and regulations surrounding the conduct of commerce. When doing business abroad, a U.S. company must observe both domestic regulations and those of the country in which it plans to do business.

For example, companies that develop advanced technologies, such as encryption devices or methodologies, should fully understand the ramifications of the Department of State’s International Traffic in Arms Regulations (ITAR) and Arms Export Control Act (AECA), as well as the Department of Commerce’s Export Administration Regulation (EAR), which regulates the export of technologies prior to sharing them with national employees or business partners from other countries.

Similarly, the Department of Justice’s Foreign Corrupt Practices Act (FCPA) comes into play for every company or person who conducts commerce within the U.S. With respect to the FCPA, the anti-bribery provision is especially important to understand.

Organizations from foreign countries doing business in the U.S. must comply with the U.S. International Trade Commission’s Sec. 1337 – Unfair practices in import trade so as not to run afoul of import regulations. According to the USITC, there have been more than 25 complaints in the past 90 days of unfair business practices by foreign entities.

Compliance Abroad

Companies conducting business abroad should be mindful not only of the laws and regulations of the U.S., but also those of the country in which they wish to operate. For example, companies operating in the European Union must handle data derived from customer engagement and employee information in accordance with EU privacy laws. This may require separating European data from U.S. data as different laws and regulations come into play.

Multijurisdictional compliance issues may also arise when a company attempts to transfer an individual from one foreign office to another. Is this individual eligible to work in the destination country? Will a special work visa be possible? A company’s desire to transfer the best employee for the job may be upended by the rules and regulations of the particular country. Thus, every entity must understand the legal requirements for the entire employee workforce in each locale, including the U.S.

Awareness and Education

Even after navigating the maze of regulations, companies must take cultural differences into account. Business practices differ from one locale to another, as do the cadence and manner in which commerce is conducted.

These cultural differences may, as noted above, place employees or companies in ethical dilemmas. Companies can avoid the FCPA and minimize ethical conflict by training employees to recognize the nuanced differences between the business methodologies and cultural mannerisms of different countries.

Once it obtains permission from the Department of State and Department of Commerce to share advanced technologies with a specific entity or person abroad, the company must educate its custodians that this permission does not extend beyond the specifics. If a company shares this data in an email to all members of a global team when the permission was for only the members of the team in a specific locale, it may find itself in a noncompliant status.

In 2012, for example, the Department of State announced that a company in the U.S. and its Canadian subsidiary were fined $75 million for the unauthorized disclosure of technology to a foreign government. On June 20, a separate U.S. company was fined $100,000 for violation of ITAR and AECA when it allowed technology to be obtained by an individual from a proscribed country. The individual was an employee of the company but was of a nationality that was proscribed from accessing the data due to its classification as advanced technology.

In both of these instances, the companies were found to be noncompliant even though the data was only accessed by company employees. Thus, it behooves all companies to understand the 360-degree compliance matrix when dealing with export regulations. Business practices, data access, privacy and ethics will go a long way toward keeping the train of commerce squarely on the rails.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…