What Does Sarbanes-Oxley Have To Do With Information Security?
Although it has a high profile in corporate America, the Sarbanes-Oxley Act has not been at the center of discussions about the need for corporations to adopt appropriate information security measures. However, a recent article in the August 29th, 2005 issue of the National Law Journal by well-known Chicago trade secrets lawyer R. Mark Halligan persuasively suggests that "... directors and top managers must become actively involved with intellectual asset management and information security, to avoid both civil and criminal liability under Sarbanes-Oxley and shareholder derivative suits for the breach of the fiduciary duty to adequately protect intellectual property assets.", and that this represents a "sea change" in the law.
Pointing to estimates that trade secrets comprise 80% of the assets of "New Economy" companies, Halligan argues that trade secrets define an asset class and "can no longer be viewed as an amorphous intellectual property right". Synthesizing actions taken by the SEC, the New York Stock Exchange, the IRS, and the Financial Accounting Standards Board (FASB), as well as changes in corporate governance law and even the Federal Sentencing Guidelines, he goes on to suggest that since they are financial assets, Sarbanes-Oxley requires that trade secrets be identified, classified, valued and those values publicly reported, and be the subject of adequate internal controls such as effective access restrictions. Halligan suggests that corporate directors need to exercise sufficient oversight over these measures or risk shareholder derivative suits and loss of key and valuable corporate assets.
Halligan also makes the key point that in order for the owners to effectively take legal action to protect trade secrets, statutes such as the Uniform Trade Secrets Act, now adopted in some form by the vast majority of states, require that the owner of information claimed to be a trade secret be able to establish that it has taken reasonable measures to protect the trade secrets from disclosure. Because most trade secrets are now created and stored electronically, trade secret protection now becomes "inextricably intertwined" with other information security measures.
Posted by Bob Blackstone