WEBVTT 1 00:00:00.000 --> 00:00:01.290 In this lesson, 2 00:00:01.290 --> 00:00:04.710 we will learn about cross-jurisdictional compliance. 3 00:00:04.710 --> 00:00:06.990 Cross-jurisdictional compliance requirements 4 00:00:06.990 --> 00:00:10.980 establish standards that ensure an organization's practices 5 00:00:10.980 --> 00:00:14.430 are compliant with all applicable local, national, 6 00:00:14.430 --> 00:00:16.290 and international laws. 7 00:00:16.290 --> 00:00:19.590 Compliance may involve items such as due diligence, 8 00:00:19.590 --> 00:00:24.060 due care, contractual obligations, and export controls. 9 00:00:24.060 --> 00:00:27.510 Let's explore each of these items in more detail. 10 00:00:27.510 --> 00:00:31.320 First, let's talk about due diligence and due care. 11 00:00:31.320 --> 00:00:33.720 Think of due diligence and due care, 12 00:00:33.720 --> 00:00:36.240 like buying and maintaining a car. 13 00:00:36.240 --> 00:00:37.800 Both are necessary, 14 00:00:37.800 --> 00:00:39.870 but they happen at different stages 15 00:00:39.870 --> 00:00:43.230 of the car buying and car ownership process. 16 00:00:43.230 --> 00:00:45.210 To understand due diligence, 17 00:00:45.210 --> 00:00:47.430 let's imagine we're buying that car. 18 00:00:47.430 --> 00:00:49.080 Before we make the purchase, 19 00:00:49.080 --> 00:00:52.110 we do our homework by researching different models, 20 00:00:52.110 --> 00:00:54.690 reading reviews, comparing prices, 21 00:00:54.690 --> 00:00:56.640 and checking the car's history. 22 00:00:56.640 --> 00:00:58.950 This is all about being cautious 23 00:00:58.950 --> 00:01:02.520 and thorough before making a big purchase decision. 24 00:01:02.520 --> 00:01:06.210 In the information security world, due diligence is similar. 25 00:01:06.210 --> 00:01:08.190 It involves all the preparation 26 00:01:08.190 --> 00:01:12.330 and investigation a company does before taking an action, 27 00:01:12.330 --> 00:01:15.090 such as adopting a new software solution, 28 00:01:15.090 --> 00:01:16.860 or launching a new service. 29 00:01:16.860 --> 00:01:20.100 Due diligence helps identify potential risks, 30 00:01:20.100 --> 00:01:22.410 enabling the organization to determine 31 00:01:22.410 --> 00:01:26.580 and implement necessary security measures ahead of time. 32 00:01:26.580 --> 00:01:30.690 Now, once we buy that car, we need to exercise due care. 33 00:01:30.690 --> 00:01:31.830 As a car owner, 34 00:01:31.830 --> 00:01:36.120 it's our responsibility to keep the car in a good condition. 35 00:01:36.120 --> 00:01:39.030 This means taking it for regular oil changes, 36 00:01:39.030 --> 00:01:42.900 rotating the tires, and fixing any issues that arise, 37 00:01:42.900 --> 00:01:46.320 basically doing maintenance to prevent breakdowns. 38 00:01:46.320 --> 00:01:50.190 In the same way, due care in information security means 39 00:01:50.190 --> 00:01:53.820 taking ongoing actions to protect against risks. 40 00:01:53.820 --> 00:01:57.090 For example, after identifying potential threats 41 00:01:57.090 --> 00:01:58.530 through due diligence, 42 00:01:58.530 --> 00:02:01.080 a company then has to maintain and monitor 43 00:02:01.080 --> 00:02:02.820 their systems regularly, 44 00:02:02.820 --> 00:02:06.270 making sure their security measures are actively working 45 00:02:06.270 --> 00:02:07.710 to protect data. 46 00:02:07.710 --> 00:02:09.660 This is due care. 47 00:02:09.660 --> 00:02:13.290 Next, let's talk about contractual obligations. 48 00:02:13.290 --> 00:02:16.230 Contractual obligations are specific requirements 49 00:02:16.230 --> 00:02:18.150 that are included in contracts. 50 00:02:18.150 --> 00:02:20.160 These can be quite tricky, 51 00:02:20.160 --> 00:02:22.470 especially if a company works in a number 52 00:02:22.470 --> 00:02:24.570 of different jurisdictions. 53 00:02:24.570 --> 00:02:27.630 Legal and regulatory requirements can vary widely 54 00:02:27.630 --> 00:02:29.640 from one location to another. 55 00:02:29.640 --> 00:02:34.140 For example, imagine our company operates in the U.S. 56 00:02:34.140 --> 00:02:36.660 but handles data for clients in Europe. 57 00:02:36.660 --> 00:02:37.710 In this case, 58 00:02:37.710 --> 00:02:41.070 we need to comply not only with U.S. regulations, 59 00:02:41.070 --> 00:02:43.020 but also with European ones, 60 00:02:43.020 --> 00:02:46.950 like the General Data Protection Regulation, or GDPR. 61 00:02:46.950 --> 00:02:49.260 Our contract might include clauses 62 00:02:49.260 --> 00:02:51.060 that specifically address this, 63 00:02:51.060 --> 00:02:53.130 making it clear who's responsible 64 00:02:53.130 --> 00:02:57.270 for ensuring that local laws are followed in each region. 65 00:02:57.270 --> 00:02:59.760 This means our company has to keep track 66 00:02:59.760 --> 00:03:03.420 of different privacy laws, data protection standards, 67 00:03:03.420 --> 00:03:07.350 and security requirements across multiple countries. 68 00:03:07.350 --> 00:03:10.590 Tracking different privacy laws can be challenging, 69 00:03:10.590 --> 00:03:13.440 but it's crucial for avoiding legal penalties 70 00:03:13.440 --> 00:03:15.780 and maintaining trust with clients. 71 00:03:15.780 --> 00:03:19.920 Now, let's discuss legal hold and e-discovery. 72 00:03:19.920 --> 00:03:23.010 Legal holds require companies to prevent the deleting, 73 00:03:23.010 --> 00:03:26.340 or altering of information because that information 74 00:03:26.340 --> 00:03:28.680 might be used as evidence in court. 75 00:03:28.680 --> 00:03:31.560 Importantly, information that is kept as part 76 00:03:31.560 --> 00:03:36.030 of a legal hold may or may not be used as evidence. 77 00:03:36.030 --> 00:03:38.250 Its use isn't guaranteed. 78 00:03:38.250 --> 00:03:40.650 The case may not even end up in court, 79 00:03:40.650 --> 00:03:43.800 or lawyers may decide not to use the evidence. 80 00:03:43.800 --> 00:03:46.170 But the goal of legal hold is 81 00:03:46.170 --> 00:03:49.200 to preserve everything relevant just in case 82 00:03:49.200 --> 00:03:51.330 it's needed later in court. 83 00:03:51.330 --> 00:03:53.670 Now, let's talk about e-discovery. 84 00:03:53.670 --> 00:03:56.100 E-discovery is the process of searching 85 00:03:56.100 --> 00:04:00.330 through all preserved data, such as emails, documents, 86 00:04:00.330 --> 00:04:03.420 and saved files, to find out what's important 87 00:04:03.420 --> 00:04:04.740 for a court case. 88 00:04:04.740 --> 00:04:07.020 E-discovery is typically conducted 89 00:04:07.020 --> 00:04:09.390 by a combination of legal teams, 90 00:04:09.390 --> 00:04:13.020 meaning lawyers and paralegals, IT professionals, 91 00:04:13.020 --> 00:04:17.430 and sometimes specialized third-party e-discovery vendors. 92 00:04:17.430 --> 00:04:20.610 Finally, let's consider export controls. 93 00:04:20.610 --> 00:04:24.060 Export controls regulate the international transfer 94 00:04:24.060 --> 00:04:26.160 of dual-use technologies. 95 00:04:26.160 --> 00:04:28.350 Like contractual obligations, 96 00:04:28.350 --> 00:04:30.720 export controls can get complicated 97 00:04:30.720 --> 00:04:33.750 where cross-jurisdictional compliance is required. 98 00:04:33.750 --> 00:04:36.450 This is especially true in the tech world, 99 00:04:36.450 --> 00:04:39.660 where cybersecurity tools like Check Point's Firewall 100 00:04:39.660 --> 00:04:42.330 and VPN software are involved. 101 00:04:42.330 --> 00:04:44.550 Check Point's Firewall and VPN software 102 00:04:44.550 --> 00:04:47.520 use strong encryption to secure networks 103 00:04:47.520 --> 00:04:48.750 and communication. 104 00:04:48.750 --> 00:04:52.440 Strong encryption is considered dual-use technology, 105 00:04:52.440 --> 00:04:56.760 meaning it has both civilian and military applications. 106 00:04:56.760 --> 00:04:59.160 Because of this, Check Point's Firewall 107 00:04:59.160 --> 00:05:03.180 and VPN software fall under the Wassenaar Arrangement. 108 00:05:03.180 --> 00:05:06.480 The Wassenaar Arrangement is an international agreement 109 00:05:06.480 --> 00:05:10.200 that controls the export of dual-use technologies. 110 00:05:10.200 --> 00:05:11.850 So, if a company wants 111 00:05:11.850 --> 00:05:15.750 to export Checkpoint's security software to another country, 112 00:05:15.750 --> 00:05:18.030 they have to ensure compliance with local 113 00:05:18.030 --> 00:05:20.370 and international export laws. 114 00:05:20.370 --> 00:05:23.250 This often means applying for an export license 115 00:05:23.250 --> 00:05:26.160 before shipping software to certain countries, 116 00:05:26.160 --> 00:05:29.760 especially those with restrictions or sanctions upon them. 117 00:05:29.760 --> 00:05:32.340 Failure to follow these controls can result 118 00:05:32.340 --> 00:05:34.620 in hefty fines and penalties. 119 00:05:34.620 --> 00:05:37.110 So, it's very important for companies 120 00:05:37.110 --> 00:05:39.750 to navigate these regulations carefully 121 00:05:39.750 --> 00:05:41.610 to avoid legal trouble. 122 00:05:41.610 --> 00:05:45.840 So, remember, cross-jurisdictional compliance ensures 123 00:05:45.840 --> 00:05:49.620 that organizations adhere to local, national, 124 00:05:49.620 --> 00:05:51.600 and international laws. 125 00:05:51.600 --> 00:05:55.770 Key areas of focus include due diligence, due care, 126 00:05:55.770 --> 00:05:59.490 contractual obligations, and export controls. 127 00:05:59.490 --> 00:06:02.280 Due diligence involves thorough preparation 128 00:06:02.280 --> 00:06:05.790 and risk identification before taking action, 129 00:06:05.790 --> 00:06:08.130 while due care is about maintaining 130 00:06:08.130 --> 00:06:11.970 ongoing security measures after action has been taken. 131 00:06:11.970 --> 00:06:15.660 Contractual obligations across regions require companies 132 00:06:15.660 --> 00:06:18.030 to comply with varying laws, 133 00:06:18.030 --> 00:06:21.150 such as data privacy regulations. 134 00:06:21.150 --> 00:06:25.350 Finally, export controls regulate the international transfer 135 00:06:25.350 --> 00:06:27.150 of dual-use technologies, 136 00:06:27.150 --> 00:06:29.580 ensuring compliance with agreements like 137 00:06:29.580 --> 00:06:33.153 the Wassenaar Arrangement to avoid legal issues.