This commentary is the full response to an Ask the Expert question in the law, public policy and standards section.
Sarbanes-Oxley contains many features, but there are two that stand out from an IT security perspective.
First, Sections 302(a)(4) and 404 require a public company and its top officers to make disclosures and certifications to the Securities and Exchange Commission regarding the company's system of internal controls. Internal controls cover an enormous range of methods and procedures that an organization employs to ensure it is using resources as intended, preventing fraud, protecting assets from damage and waste and so on. Among those methods and procedures are IT security techniques to thwart hackers, viruses, criminals and other pests that might abuse the organization's IT infrastructure (degrade its performance, use it to steal money, transform it into a clandestine spam mill, etc.). One way a violation might occur would be for the company, the CEO and the CFO to disclose to the SEC essentially "we have been diligent and thorough in pursing control and security over our IT resources," when in fact the company was handling IT security and control in a slipshod way. Evidence of slipshoddiness would typically not be any single problem or event, but rather be a series of shortcomings that add up to indicate poor performance. For example, such a series of shortcomings might include
- A history of Trojan break-ins that caused leakage of high-profile company trade secrets.
- A spate of incidents in which hackers hijacked company servers to launch distributed denial of service attacks.
- Lack of documentation showing that upper management had regularly reviewed and supported the company's IT security apparatus.
- Failure to hire competent IT security staff or to provide resources commensurate with the challenges of safeguarding the company's infrastructure.
There are two ways this violation might be punished. First, the SEC might bring a regulatory action against the company and its top officers for, basically, not telling the truth. Such an action would be embarrassing and could lead to banishment of the officers from executive positions in any public companies. Second, investors (shareholders, bondholders) might sue the company and its officers for lying to them. In both scenarios, the SEC action and the investor lawsuit, the charges on lying about IT security might be combined with charges of lying about other things (such as oversight of financial controls), creating an overall picture of management deceitfulness and incompetence.
The second feature of Sarbanes-Oxley is Section 802, which expands the federal obstruction of justice law. CPA firm Arthur Andersen was convicted for obstruction of justice in connection with the Enron scandal. Essentially, Andersen destroyed documents that it should have preserved. One month after Andersen's conviction, Congress adopted Sarbanes-Oxley, including section 802; Section 802 will make the next conviction for wrongful document destruction easier for the prosecutor.
Under 802, any person who destroys a record in contemplation of a federal investigation or lawsuit could be criminally liable. The problem is that it is hard to know when records such as e-mail are destroyed whether the destruction is being done in contemplation of an investigation or lawsuit. Therefore, Section 802 puts pressure on companies to keep more records, longer.
Here's an example of a Section 802 violation: The company possesses many years of general e-mail records. It knows it is about to be sued by the Environmental Protection Agency for allegedly violating antipollution laws. The company has retained lots of records specific to its pollution history, but it suspects the EPA will want to rummage around in its vast e-mail records, too. The company believes the e-mail records are of only little relevance to the EPA. The company further believes that to go through all the e-mail in response to a discovery request in litigation would be very expensive yet not very fruitful. So rather than giving the EPA and the court an opportunity in litigation to determine the relevance of the e-mail for themselves, the company decides, before litigation starts, to destroy all e-mail more than one-year old.
That decision would be a violation of Section 802 because the company would have destroyed records in contemplation of a federal lawsuit, even though the suit had not formally been filed. For such a violation, the company (and possibly its relevant managers) could be prosecuted criminally in a manner similar to Arthur Andersen.
About the author
Ben Wright is an independent attorney practicing computer security and e-commercial law in Dallas, Texas.