Abstract
This paper examines the utility of the Sarbanes–Oxley Act of 2002 to assist regulators engaged in privacy policy development. By exploring best practices employed by the financial reporting industry, and the specific terms of the Sarbanes–Oxley Act of 2002, the present research offers guidance for the incorporation into privacy regulation. The paper advocates that both the FTC/Facebook Court Order and the Sarbanes–Oxley Act of 2002 should be now be considered de facto minimum standards for American privacy policy, including required CEO certifications of industry obligations, establishment and maintenance of effective internal controls, required CEO, CFO and CPO certification of control compliance, disgorgement of ill-gotten gains by organizations and executives, requirement of independent third-party compliance review as well as independence of audit committees and privacy compliance staff and, finally, the establishment of, and compliance with, a regulatory oversight board similar to the PCAOB.
Similar content being viewed by others
References
American Institute of Certified Public Accountants (AICPA). 2012. AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
Atkins, P. 2003. Speech by SEC Commissioner: The Sarbanes-Oxley Act of 2002: Goals, Content, and Status of Implementation. United States Securities and Exchange Commission. Retrieved March 15, 2020 from https://www.sec.gov/
Bargeron, L., K. Lehn, and C. Zutter. 2010. Sarbanes-Oxley and corporate risk-taking. Journal of Accounting and Economics 49: 34–52.
Bower, J., and C. Christensen. 1996. Disruptive technologies: Catching the wave. The Journal of Product Innovation Management 13 (1): 75–76.
Burt, A. 2019. Privacy and cybersecurity are converging. Here’s why that matters for people and for companies. Harvard Business Review. Retrieved online June 27, 2020 from https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies
Clarified Statements on Auditing Standards: American Institute of Certified Public Accountants, AU-C, Section 315.04.
Clay, C. 2017. Sarbanes-Oxley: 15 years of successes and challenges. Accounting Today.
Federal Trade Commission v. Facebook. 2019
Cortez, N. 2014. Regulating Disruptive Innovation. Berkeley Technology Law Journal, 175.
Dey, A. 2010. The chilling effect of Sarbanes–Oxley: A discussion of Sarbanes-Oxley and corporate risk-taking. Journal of Accounting and Economics 49: 53–57.
Drawbaugh, K., Aubin, D. 2012. Analysis: A decade on, is Sarbanes-Oxley working? Thompson Reuters.
Fazlioglu, M. 2019. Beyond the “nature” of data: Obstacles to protecting sensitive information in the European Union and the United States. Urban Law Journal, 46(2), 271 – 306. Retrieved June 27, 2020 from https://ir.lawnet.fordham.edu/ulj/vol46/iss2/2/
Grothaus, M. 2018. How our data got hacked, scandalized, and abused in 2018. Fast Company. Retrieved May 15, 2020 at https://www.fastcompany.com/90272858/how-our-data-got-hacked-scandalized-and-abused-in-2018
Herath, S.K., and S.A. Walker. 2019. How effective is Sarbanes-Oxley in the accounting profession: Is it accomplishing its original objectives? The Business and Management Review 10(2): 98–107.
Holmes, C. 2015. Privacy is fast becoming the real disruptive force in digital technology. The Conversation. Retrieved March 10, 2020 from http://theconversation.com/privacy-is-fast-becoming-the-real-disruptive-force-in-digital-technology-37244
Isaac, M., and Singer, N. 2019. Facebook agrees to extensive new oversight as part of $5 billion settlement. The New York Times. Retrieved online March 22, 2020 from https://www.nytimes.com/2019/07/24/technology/ftc-facebook-privacy-data.html
Knutson, T. 2019. Tech creating more discrimination victims, warns key regulator FTC. Forbes. Retrieved April 10, 2020 from https://www.forbes.com/sites/tedknutson/2019/03/22/technology-creating-more-discrimination-victims-warns-ftc-commissioner-chopra/#7119aed96834
Lee, C. 2017. Grabbing the wheel early: Moving forward on cybersecurity and privacy protections for driverless cars. Federal Communications Law Journal 25–0: 8.
Lubbers, J. S. 1979. It's time to remove the mossified procedures for FTC rulemaking.” George Washington Law Review, 83.
McGraw, S. 2005. How private companies can benefit from modeling Sarbanes-Oxley. Journal of Health Care Compliance 7: 4.
Piovesan, C. 2019. How privacy laws are changing to protect personal information,” Forbes. Retrieved online February 15, 2020 from https://www.forbes.com/sites/cognitiveworld/2019/04/05/how-privacy-laws-are-changing-to-protect-personal-information/#5dfac29b753d
Public Company Accounting Oversight Board (PCAOB). 2010. Auditing Standard 2110, Identifying and Assessing Risks of Material Misstatement (as amended). Available at https://pcaobus.org/Standards/Auditing/Pages/AS2110_amendments.aspx
Reidy, C. 2006. Sarbanes-Oxley Costs Burden Small Firms. The Boston Globe.
Ryle, P.M., B.L. Bueltel, A.K. Walker, C. Gabrini, and M.A. McKnight. 2020. The impact of the Facebook Court Order & CCPA 2020: Helping businesses and accountants meet the challenge of the new era of privacy compliance. Journal of Accounting, Ethics and Public Policy. 21(2): 247–262.
Scammell, R. 2018. US tech giants back federal data privacy law, as long as innovation is protected. The Verdict. Retrieved March 10, 2020 from https://www.verdict.co.uk/us-tech-giants-federal-data-privacy-law/
Schryver, K. 2019. The future of data privacy in the United States. CPO Magazine. Retrieved June 1, 2020 from: https://www.cpomagazine.com/data-protection/the-future-of-data-privacy-in-the-united-states/
Securities & Exchange Commission. 2013. The laws that govern the securities industry. Retrieved June 11, 2020 from https://www.sec.gov/answers/about-lawsshtml.html#sox2002
Slaughter, R.K. 2019. Federal Trade Commission v. Facebook: Dissenting Statement.
Solove, Daniel J., and W. Hartzog. 2014. The FTC and the new common low of privacy. Columbia Law Review 114(3): 583–676.
van Driel, H. 2019. Financial fraud, scandals, and regulation: A conceptual framework and literature review. Business History 61(8): 1259–1299.
Acknowledgments
The authors would like to offer a special thanks to Professor Peter Swire for his input and thoughts.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Ryle, P.M., Bueltel, B.L., McKnight, M.A. et al. Decoding lessons from the Facebook Consent Decree: Does Sarbanes–Oxley foreshadow the future of privacy regulation?. Int J Discl Gov 19, 1–10 (2022). https://doi.org/10.1057/s41310-021-00124-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41310-021-00124-2