This paper examines the utility of the Sarbanes–Oxley Act of 2002 to assist regulators engaged in privacy policy development. By exploring best practices employed by the financial reporting industry, and the specific terms of the Sarbanes–Oxley Act of 2002, the present research offers guidance for the incorporation into privacy regulation. The paper advocates that both the FTC/Facebook Court Order and the Sarbanes–Oxley Act of 2002 should be now be considered de facto minimum standards for American privacy policy, including required CEO certifications of industry obligations, establishment and maintenance of effective internal controls, required CEO, CFO and CPO certification of control compliance, disgorgement of ill-gotten gains by organizations and executives, requirement of independent third-party compliance review as well as independence of audit committees and privacy compliance staff and, finally, the establishment of, and compliance with, a regulatory oversight board similar to the PCAOB.

本文研究了2002年《萨班斯法案》（Sarbanes-Oxley Act）对协助制定隐私政策的监管机构的效用。通过探索财务报告行业采用的最佳做法以及2002年《萨班斯法案》的特定条款，本研究为将其纳入隐私法规提供了指导。该论文主张，现在应将FTC / Facebook法院命令和2002年《萨班斯-奥克斯利法案》视为美国隐私政策的事实上的最低标准，包括要求的CEO对行业义务的证明，有效的内部控制的建立和维护。首席执行官，首席财务官和首席财务官对控制合规性的证明，对组织和高管的不正当收益的侵害，