Good Intentions Are Not Security

Cringely has a PBS column of 4 August 2005 about The New Robber Barons that revolves around the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX) and other recent legislation. The key to his argument is that:

These laws, especially the Gramm-Leach-Bliley Act of 1999 (GLBA), now make the victim of cyber theft into a criminal. And under Sarbanes Oxley, directors are held liable and can be sent to jail.
So suppose you’re a small financial institution, such as a credit union. It’s hard to keep track of everything, and eventually you’re likely to have some information stolen. You can try to keep it from the public, but you can’t keep it from your accounting firm. And your accounting firm is going to take it very seriously, because they will be liable if they don’t. So they will probably certify your credit union as not SOX or GLBA compliant.

You can either get compliant very quickly or go to jail. Getting compliant can be difficult for a small institution with little savvy about handling information through computers or networks and little overhead to spend to get it.

Clever bigger companies could take advantage of this problem by seeking out such smaller institutions and offering to buy them for a nominal fee. Thus the new robber barons.

I tend to think that SOX and GLBA were passed with all the good intentions in the world. But ever more detailed regulations with ever more draconian penalties can’t really solve the twin problems of corporate ethics and the risks of doing business in a networked world. Given that in a scale-free world of rapidly increasing connections there will be failures of any technical or procedural means of security, it would be prudent for legislation to take that into account.

And, of course, it would be prudent for companies to buy insurance for such eventualities, so they can afford to pay for lawyers to stay out of jail and so they can afford having to sell the store.


1 thought on “Good Intentions Are Not Security

  1. Fazal Majid

    Anybody who thinks large corporations are more likely than small ones to pass compliance has no idea how messy and convoluted the IT systems of large corporations are.
    A small, stable credit union that has not changed much in the last 20 years is much more likely to have a grip on its systems than a large bank like BofA which has merged with several other companies in the last 10 years, and has a hodge-podge of poorly-integrated IT (California customers like myself are handled by a completely different system from the rest of the country, for instance).
    Since a big rationale for corporate mergers is synergy, i.e. firing people in overlapping departments, in most cases the people who know where the skeletons are buried have left the company already…

Comments are closed.