Cringely has a PBS column of 4 August 2005 about The New Robber Barons that revolves around the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX) and other recent legislation. The key to his argument is that:

These laws, especially the Gramm-Leach-Bliley Act of 1999 (GLBA), now make the victim of cyber theft into a criminal. And under Sarbanes Oxley, directors are held liable and can be sent to jail.

So suppose you’re a small financial institution, such as a credit union. It’s hard to keep track of everything, and eventually you’re likely to have some information stolen. You can try to keep it from the public, but you can’t keep it from your accounting firm. And your accounting firm is going to take it very seriously, because they will be liable if they don’t. So they will probably certify your credit union as not SOX or GLBA compliant.

You can either get compliant very quickly or go to jail. Getting compliant can be difficult for a small institution with little savvy about handling information through computers or networks and little overhead to spend to get it.

Clever bigger companies could take advantage of this problem by seeking out such smaller institutions and offering to buy them for a nominal fee. Thus the new robber barons.

I tend to think that SOX and GLBA were passed with all the good intentions in the world. But ever more detailed regulations with ever more draconian penalties can’t really solve the twin problems of corporate ethics and the risks of doing business in a networked world. Given that in a scale-free world of rapidly increasing connections there will be failures of any technical or procedural means of security, it would be prudent for legislation to take that into account.

And, of course, it would be prudent for companies to buy insurance for such eventualities, so they can afford to pay for lawyers to stay out of jail and so they can afford having to sell the store.

-jsq