In the Wake of the Year of the Data Breach, Do we Need a Sarbanes Oxley for IT?



When scandals roil Wall Street or Corporate Boards, federal regulations soon follow. Five years into our data theft epidemic, however, there’s still no law demanding accountability for information security.

It would be accurate to say that 2014 was the 'year of the data breach,' what with Home Depot, and Staples, and P.F. Chang's, and Michaels Stores, and Dairy Queen (among others... you get the picture).

But the truth is that 2013 was the year of the data breach also. That year, Target, JP Morgan, Adobe Systems and the Internal Revenue Service were among the victims. And - frankly - 2012 wasn't what you'd consider sleepy on the matter of data theft and inadvertent data loss, either.

The circumstances of these incidents are different of course, but the regularity with which they occur suggests that there are bigger issues at play than merely unpatched software, poor password hygiene or vulnerable web applications. Uncomfortable as it is to say: data breaches may be more symptom than cause – the product of a business environment that treats IT failings differently than those in, say, the accounting or sales departments.

As President Obama prepares to use his State of the Union Address to Congress to promote a raft of new cyber security legislation, some security experts think it's time for this to change – and for the federal government to take a more forceful stand in holding businesses to high standards of conduct and efficacy when it comes to managing their information technology infrastructure.

There’s a precedent for this. In fact, there’s a long history of outsize scandals leading directly to legal reforms. After corporate accounting scandals at companies like Enron, Tyco International and Worldcom cost investors billions of dollars in the late 1990s, Congress passed the laws that have become known as Sarbanes Oxley in 2002 to set high standards for the reporting of corporate financial data and to establish clear guidelines for both accounting firms and corporate executives and boards.

Then, when the economic collapse of 2008 and 2009 exposed irregularities and shortcomings in the way that large Wall Street firms were doing business, the Dodd Frank Wall Street Reform and Consumer Protection Act of 2010 was enacted to right some of those wrongs.

In both cases, the legislation provided direct remedies for the problems that were perceived to have led to the crises. Sarbanes Oxley set clear standards for auditing firms that report on corporate financials. More important: it made senior executives in corporations directly responsible for the content of the financial statements the company issued. Dodd-Frank provided more checks on activities like the trading of derivatives and established a Consumer Financial Protection Bureau.

However, there has been no similar, federal response to the steady drum beat of data loss and hacking scandals from major corporations, non profits and government entities in the last 10 years. True: many states have enacted their own laws mandating disclosure of data breaches that effect citizens.

But, as Sumit Agarwal, a former Senior Advisor for Cyber Innovation and Deputy Assistant Secretary of Defense noted when I spoke to him earlier this week: informing customers that their data may have been stolen does little to address the underlying causes of the breach.

The evidence seems to support this. To date, 47 states have passed some form of data breach notification laws, and yet the pace and size of breaches has only increased during the same period.

What’s the solution? Agarwal, who is now the Vice President of Strategy at the firm Shape Security, suggests federal laws that would put information security and data protection on par with other sensitive corporate activities.

Heads have started to roll in the Executive Suite as a result of computer mishaps and successful hacks. But on paper, senior executives can still claim ignorance about the nitty gritty details of security audits, pen tests and patching – disregarding it as “geek stuff” (to use Agarwal’s term) that isn’t relevant to their job.

Forward looking cyber legislation wouldn’t merely force companies to disclose breaches to those affected by them, Agarwal notes. It would make senior executives liable for the accuracy of any statements about the integrity of the company’s information technology infrastructure and its operations.

Technology is becoming ever more important to the successful operation of companies. And that means the days of being able to dismiss it as “techy stuff” and mumbo jumbo are over.

“We’re coming into a realm where we all need to be more educated,” Agarwal said. I’ll second that!

About Paul Roberts

Paul Roberts (@paulfroberts) is the Editor in Chief and Founder of The Security Ledger (@securityledger).

Paul Roberts

Please post your comments here

New 2017 Gartner DLP Magic Quadrant

Digital Guardian is a Leader in the 2017 Magic Quadrant for Data Loss Prevention. Read the report to understand how DLP solutions have evolved to provide advanced data protection.

Get the report now

Related Articles
Can you "leak" public information?

The personal information on world leaders attending the G20 summit was accidentally released to a third party. Is it a data breach? Maybe not.

Following Uber Breach Senators Introduce Data Breach Notification Act

Legislation filed last week would require companies to notify consumers of data breaches within 30 days and make it a crime punishable by as much as five years in prison for knowingly concealing them.

Friday Five: 10/12 Edition

New statistics on breached data in 2018 so far, HIPAA compliance or lack thereof, and a report on Pentagon security. Catch up on the week's news with this roundup!