Posted on 12/01/2009 1:04:54 PM PST by IronKros
Next Monday, the nine justices of the U.S. Supreme Court will hear arguments in Free Enterprise Fund and Beckstead and Watts v. Public Company Accounting Oversight Board (PCAOB) and United States of America. If the plaintiffs are successful, they could unravel one of the most used and persuasive tools in security technology sales: the Sarbanes-Oxley Act of 2002.
The particulars of the case aren’t really that important, but I’ll recount them quickly. Beckstead was a small accounting firm in Henderson, Nev. (just outside Las Vegas). It was audited by PCOAB in 2004 for compliance with Sarbanes-Oxley and several deficiencies were found. However, the cost of compliance was so high that it forced Beckstead to go out of business.
Now, here’s where things get interesting. Beckstead decided to sue PCOAB not over the deficiencies found, but rather the oversight board’s very right to existence.
You see, Congress created PCOAB as an independent regulatory and oversight arm for the enforcement of Sarbanes-Oxley. The idea was for PCOAB to operate free of political influence and have the ability to pay market rates for its experts. Sounds like a good idea, considering the political and financial fallout created by the collapse of companies like Enron and Global Crossing that inspired SOX in the first place.
However, Beckstead’s lawyers -- Michael A. Carvin and Noel J. Francisco, partners at the giant law firm Jones Day - think they have found a loophole not in SOX, but the Constitution that could be the PCOAB’s and the law’s undoing. The government and its regulatory enforcement agencies operate under a system of checks and balances. In many cases, that means the president appoints the governing board and Congress confirms their appointment. A similar process would be used for the removal of officers (think impeachment). But the way SOX created PCOAB, the body is free of both congressional and an executive branch oversight, and that makes SOX unconstitutional, Beckstead’s lawyers will argue.
Now, legal scholars and experts say Congress could simply fix the bill by amending SOX to include congressional and presidential oversight. However, that could be enough to open SOX for rewriting and reinterpretation. In other words, a legal victory for Beckstead could unravel SOX.
Why is this important to security vendors and solution providers? Basically, it comes down to Section 404, which spells out the security and integrity of data used to compile reporting for SOX compliance. Many auditing firms have used 404 as a lever for imposing stringent security technology requirements on publicly traded companies regulated by SOX and their business partners. SOX security compliance has proven effective for vendors and solution providers, as it forces regulated enterprises to spend billions of dollars on technology that, many times, doesn’t prevent security incidents but does make them compliant with the law.
In 2007, PCOAB changed the security requirements, placing the onus on auditors to prove a causal relationship on security requirements to SOX-governed data. Nevertheless, SOX has proven a resilient justification for securing spending.
Should Beckstead succeed in its arguments, SOX could be rendered inert and that will have a serious impact on the sales and messaging of security solutions. Granted, there are plenty and a growing number of federal and state security regulations - particularly those involving security breach disclosure and the protection of electronic medical records - the defeat of SOX will cast doubt in the minds of security decision-makers for some time to come.
It could call into question all of the government regulatory agencies.
Gramm-Leach-Bliley, PCI, NIST, ISO and many other standards exist to push security technology. SarbOx is convenient because of the broad application, but it is by no means the only lever. For example, SarbOx only applies to publicly-traded companies, so hundreds of thousands of small and mid-sized businesses, where much of the vulnerability exists anyway, are unaffected anyway. Many of the bigger companies, the ones affected by SarbOx, have internal security departments that push security technology independent of any regulations, if only because it saves operational costs.
But what if it's free of judicial oversight as well, eh?
The Fed will NOT like this line of reasoning!
SOX SUX whehter Red, White, or Congressional.
SOX is currently making my life MISERABLE!!!
My little company was bought out by a publicly traded company last year. Needless to say, we have enough work to do anyway - this really adds to the burden and we have no other resources to help us get compliant. we get a lot of “not in compliance” memos... oh darn!
I am SO praying this is dumped!
bump
Being bought out should have pushed the responsibility of getting you compliant onto the parent company. Their infosec department should handle any remediation. It sounds too like they didn’t do much due diligence in the pre-purchase, if all they can do is keep telling you how bad your (former) company’s security is now.
They already think they paid too much for us...
WE THINK they are working us to death (instead of hiring some help) before they shut the place down AFTER they have “transitioned” everything to the home office in another state.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.