Every country has its own rules and regulations, and companies engaging in international business will undoubtedly encounter multijurisdictional compliance issues. Companies with offices in multiple countries will be exposed to even more multijurisdictional compliance issues, which sometimes turn into conundrums.

This conflict can be mitigated, but it cannot be ignored.

Multijurisdictional Compliance in the U.S.

In the U.S., there is a plethora of rules and regulations surrounding the conduct of commerce. When doing business abroad, a U.S. company must observe both domestic regulations and those of the country in which it plans to do business.

For example, companies that develop advanced technologies, such as encryption devices or methodologies, should fully understand the ramifications of the Department of State’s International Traffic in Arms Regulations (ITAR) and Arms Export Control Act (AECA), as well as the Department of Commerce’s Export Administration Regulation (EAR), which regulates the export of technologies prior to sharing them with national employees or business partners from other countries.

Similarly, the Department of Justice’s Foreign Corrupt Practices Act (FCPA) comes into play for every company or person who conducts commerce within the U.S. With respect to the FCPA, the anti-bribery provision is especially important to understand.

Organizations from foreign countries doing business in the U.S. must comply with the U.S. International Trade Commission’s Sec. 1337 – Unfair practices in import trade so as not to run afoul of import regulations. According to the USITC, there have been more than 25 complaints in the past 90 days of unfair business practices by foreign entities.

Compliance Abroad

Companies conducting business abroad should be mindful not only of the laws and regulations of the U.S., but also those of the country in which they wish to operate. For example, companies operating in the European Union must handle data derived from customer engagement and employee information in accordance with EU privacy laws. This may require separating European data from U.S. data as different laws and regulations come into play.

Multijurisdictional compliance issues may also arise when a company attempts to transfer an individual from one foreign office to another. Is this individual eligible to work in the destination country? Will a special work visa be possible? A company’s desire to transfer the best employee for the job may be upended by the rules and regulations of the particular country. Thus, every entity must understand the legal requirements for the entire employee workforce in each locale, including the U.S.

Awareness and Education

Even after navigating the maze of regulations, companies must take cultural differences into account. Business practices differ from one locale to another, as do the cadence and manner in which commerce is conducted.

These cultural differences may, as noted above, place employees or companies in ethical dilemmas. Companies can avoid the FCPA and minimize ethical conflict by training employees to recognize the nuanced differences between the business methodologies and cultural mannerisms of different countries.

Once it obtains permission from the Department of State and Department of Commerce to share advanced technologies with a specific entity or person abroad, the company must educate its custodians that this permission does not extend beyond the specifics. If a company shares this data in an email to all members of a global team when the permission was for only the members of the team in a specific locale, it may find itself in a noncompliant status.

In 2012, for example, the Department of State announced that a company in the U.S. and its Canadian subsidiary were fined $75 million for the unauthorized disclosure of technology to a foreign government. On June 20, a separate U.S. company was fined $100,000 for violation of ITAR and AECA when it allowed technology to be obtained by an individual from a proscribed country. The individual was an employee of the company but was of a nationality that was proscribed from accessing the data due to its classification as advanced technology.

In both of these instances, the companies were found to be noncompliant even though the data was only accessed by company employees. Thus, it behooves all companies to understand the 360-degree compliance matrix when dealing with export regulations. Business practices, data access, privacy and ethics will go a long way toward keeping the train of commerce squarely on the rails.

More from CISO

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…