This is the second installment of a two-part series. Read part one here.

Less than a month ago, U.S. prosecutors said they had uncovered the largest credit card fraud operation in U.S. history and arrested six men in Russia and Ukraine. More than 160 million credit and debit card numbers were stolen, costing the victim companies more than $300 million. The fraud targeted Citigroup, JC Penney, JetBlue Airways, Nasdaq, and PNC Financial Services. It’s no wonder that senior in-house lawyers in the recently released Winston & Strawn “International Business Risk Survey” say that their top concern in following data privacy laws is customer data—including data security and risk. Tied for second-greatest concern are cross-border data transfer and legal compliance with data security and breach notification laws.

“Interestingly, it is the potential for loss of brand equity that responding corporate counsel identify as their most significant concern,” said Lisa Thomas, a data privacy and protection partner with Winston & Strawn in Chicago. In this sense, they are well-aligned with their business-side colleagues in focusing on reputational risk. “Given this ‘external’ focus, they should continually re-evaluate the effectiveness of their data-protection policies, procedures, and training, including domestic and cross-border compliance,” Thomas says.

Reducing business risks of data privacy breaches, corruption, and other compliance issues is a constantly evolving challenge for growing international companies. Laws and enforcement vary widely from one country to the next, and market practices are highly inconsistent around the world.

For the Winston & Strawn survey, conducted online from May-June 2013, the firm talked to top corporate counsel at major multinationals in the United States and Europe, and found that policies and procedures to address various risks may be in place, but there are obstacles to compliance across jurisdictions and businesses. The issues range from unclear accountability for data privacy and protection compliance, to joint ventures or alliances with foreign partners that have different cultural and market practices.

Survey respondents use varied approaches to managing legal compliance for data privacy and protection. The variations involve different combinations of legal, compliance, IT, marketing, and human resources departments. But they have this in common: General counsel underscore the importance of making responsibilities completely clear in a matrix structure to ensure that no issues fall through the cracks. Regular communications and coordination are important.

Given the high concern corporate counsel express regarding cross-border data transfer, it should be regular practice to ensure that the company’s procedures for transferring data internationally conform to legal requirements of both the “sending” and “receiving” countries. The study results also suggest that in-house counsel rank data privacy and protection risks based on the industry and countries of operation in order to better focus their compliance efforts.

In the area of cross-border joint ventures and strategic alliances, the two greatest risks for the senior counsel respondents in emerging and high-growth markets are differing cultural and market practices from their partners, and complying with local laws and regulations. “Corporate counsel tell us that in emerging markets, they want their advisers to connect the nuances of local market practices and regulatory context to their work,” says Jerome Herbet, a Winston & Strawn partner in Paris, adding, “It’s clear that strict legal advice without those insights and know-how is of little value to the business.”

The primary way that multinational general counsel take action to reduce cross-border joint venture risk is to involve in-house lawyers in due diligence from the outset. That places demands on their in-house legal teams to cover the many markets in which they are expanding. General counsel also encourage cross-border sensitive governance and operational policies. According to Zoe Ashcroft, a Winston & Strawn partner in London, “The challenge for all of these ventures is to adhere to applicable regulatory regimes while addressing the realities and risks of doing business in the local market.”

E. Leigh Dance is president of ELD International, a consultancy to global corporate counsel. Barbara Sessions is chief marketing officer of Winston & Strawn.