While you might be familiar with your local legal and regulatory issues, you must be familiar with legal and regulatory issues elsewhere too, at least at a high level.
- Cyber crimes and data breaches. Before your organization expands to other countries, perform due diligence to understand their legal systems and what changes might be required to the way that data is handled and secured. In particular, be familiar with the Council of Europe Convention on Cybercrime, a treaty signed by many countries that establishes standards for cybercrime policy. Be familiar with the various laws about data breaches, including notification requirements. In the United States, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires notification of a data breach in some cases, such as when the exposed personal health information was not protected in accordance with the Health Insurance Portability and Accountability Act (HIPAA). The Gramm-Leach-Bliley Act (GLBA) applies to insurance and financial organizations; it requires notification to federal regulators, law enforcement agencies and customers when a data breach occurs. States in the United States also impose their own requirements concerning data breaches. The EU and other countries have their own requirements too. The GDPR has very strict data breach notification requirements: A data breach must be reported to the competent supervisory authority within 72 hours of its discovery. Some countries do not have any reporting requirements.
- Licensing and intellectual property requirements. Understand the rules around:
- Trademarks —A logo, symbol or mascot used for marketing a brand
- Patents — A temporary monopoly for producing a specific item such as a toy, which must be novel and unique to qualify for a patent
- Copyright — Exclusive use of artistic, musical or literary works that prevents unauthorized duplication, distribution or modification)
- Licensing — A contract between the software producer and the consumer that limits the use and/or distribution of the software
- Import/export controls. Every country has laws around the import and export of hardware and software. For example, the United States has restrictions around the export of cryptographic technology, and Russia requires a license to import encryption technologies manufactured outside the country.
- Trans-border data flow. If your organization adheres to specific security laws and regulations, then you should adhere to them no matter where the data resides — for example, even if you store a second copy of your data in another country. Be aware of the applicable laws in all countries where you store data and maintain computer systems. In some cases, data might need to remain in the country. In other cases, you need to be careful with your data because the technical teams might be unaware of the security and compliance requirements. The EU-US Privacy Shield (formerly the EU-US Safe Harbor agreement) controls data flow from the EU to the United States. The EU has more stringent privacy protections and without the Safe Harbor act, personal data flow from the EU to the United States would not be allowed.
- Privacy. Many laws include privacy protections for personal data. The new GDPR has strong privacy rules that apply to any organization anywhere that stores or processes the personal data of EU citizens; in particular, individuals must be told how their data is collected and used, and they must be able to opt out. The privacy guidelines of the Organization for Economic Co-operation and Development (OECD) require organizations to avoid unjustified obstacles to trans-border data flow, limit personal data collection, protect personal data with reasonable security, and more.