Ron Paul seems to have written a very pointed (no pun intended) argument against Sarbanes-Oxley He suggests that it is a bill hurting US companies. It is dripping with melodrama. Here is the type of “evidence” cited:

Journalist Robert Novak, in his column of April 7, said that, “[f]or more than a year, CEOs and CFOs have been telling me that 404 is a costly nightmare” and “ask nearly any business executive to name the biggest menace facing corporate America, and the answer is apt to be number 404…a dagger aimed at the heart of the economy.”

Funny thing about the mortgage crisis hitting financial institutions, which some people might call the economic menace in America right now, is that it seriously cut down the anti-SOX rhetoric. I guess it is much harder to argue against regulating industries when catastrophes continue to beset them. Should the financial industries be allowed to make giant mistakes, even if they are honest/innocent ones instead of malicious? I suppose the real issue is not so much whether we can really know motives but the consequence of management decisions are clear. How else can regulators define the boundaries of acceptable consequences other than to say fraud and deception is no longer an acceptable practice. Have to draw a line somewhere, no?

Earlier in the speech, Ron Paul suggested that the post-dot-com financial climate shows the type of damage done by SOX.

Sarbanes-Oxley imposes costly new regulations on the financial services industry. These regulations are damaging American capital markets by providing an incentive for small US firms and foreign firms to deregister from US stock exchanges. According to a study by the prestigious Wharton Business School, the number of American companies deregistering from public stock exchanges nearly tripled during the year after Sarbanes-Oxley became law, while the New York Stock Exchange had only 10 new foreign listings in all of 2004.

My memory may be a bit cloudy now, and I am certainly no economics whiz, but that is not the analysis I would have expected. After the crash, many companies were simply not viable and therefore de-listing was a natural effect of their shrink and burnout. 2002, the year SOX became law, was a brutal time for anyone thinking about going public or remaining public to generate revenue. Trust was gone. Companies doing best were the blue-chip ones because confidence-wise they had the more compelling story to tell (Cisco, IBM, HP, etc.) and that was ultimately who gave back the buzz to the Silicon Valley.

Here’s another section in the speech I find strange:

Compounding the damage done to the economy is the harm Sarbanes-Oxley does to constitutional liberties and due process. CEOs and CFOs can be held criminally liable, and subjected to 25 years in prison, for inadvertent errors. Laws criminalizing honest mistakes done with no intent to defraud are more typical of police states than free societies. I hope those who consider themselves civil libertarians will recognize the danger of imprisoning citizens for inadvertent mistakes, put aside any prejudice against private businesses, and join my efforts to repeal Section 404.

Prejudice against private businesses? Makes me wonder if a stop sign a form of prejudice against drivers? Strange to think of a safety precaution as a form of prejudice. Perhaps that analogy is too simple. Are health code regulations imposed on restaurants a prejudice against private businesses?

Incarcerating people for honest mistakes with no intent to defraud? That is clearly not the intent of the law, at least how I have read it. The text states in Section 802(a)1519 that fines and jail are for someone who “knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence…”.

Looks like the authors went to some trouble to ensure honest mistakes were not within scope. Moreover, the law actually states 20 years as the maximum. Again see Section 802.

…shall be fined under this title, imprisoned not more than 20 years, or both.

Where did 25 years come from? Sure, mistakes happen but the goal is to help avoid the big predictable disasters, especially those created through dishonest practices.

And finally, as I sit here and work on compliance projects for JSOX (Japan), Policy 52-109 (Canada), CLERP-9 (Australia) or even Basel II (Europe) for that matter, I can hardly agree that the US has a disadvantage. The world is following the SOX act and so the US actually seems to have been a leader in this area by requiring a baseline of honesty and transparency from businesses. There is no doubt that SOX added a burden to some (especially those least in compliance), and I can see how this burden is higher for smaller companies who are not as equipped to document their compliance efforts, but for all the usual libertarian barking in Ron Paul’s speech about regulations I fail to see any tangible bite.

The San Francisco Chronicle has posted a story about the Kansas BTK killings that brings to light the privacy issues with family-wide medical records.

[Detectives] learned that Rader had a daughter who had attended Kansas State University, and they reasoned that at some point she must have used the medical clinic, said Wichita police Lt. Ken Landwehr. “It was suggested that she probably had a Pap smear,” he said. Federal law requires that labs keep Pap smears for five years, principally in case of legal challenges over diagnoses.

The prosecutors obtained a subpoena and a court order for the daughter’s specimen to compare with BTK’s DNA. An exemption in the Family Educational Rights and Privacy Act allows law enforcement to obtain a student’s health data with a court order.

“It was obviously good detective work,” said Nola Tedesco Foulston, the prosecutor in the case.

At the same time, said George Washington University law professor Sonia Suter, “it is so troubling to think that somebody would have a sample taken for her medical welfare that is then used to implicate her father.”

I remember reading about the BTK case, but never heard this side of the story. It certainly begs the question of prior-consent. Should it be required from one member of a family to release their own identity evidence that could implicate another? And that is just the beginning of what looks like an ethical quagmire.

I really like this quote from a man in New York:

As things stand in some states, lab analysts who discover a potential suspect in this way may not be permitted to share that information with investigators. Such a policy, said William Fitzpatrick, a New York state district attorney, “is insanity. It’s disgraceful. If I’ve got something of scientific value that I can’t share because of imaginary privacy concerns, it’s crazy. That’s how we solve crimes.”

Imaginary? According to US federal compliance requirements for personal identity information, as conveniently documented in HIPAA, privacy concerns are very real and very regulated.

The details of the BTK case remind me of a college philosophy professor of mine who once explained that he gave up practicing law after he grew frustrated trying to defend people against law enforcement officers who flagrantly and repeatedly violated individual privacy. Apparently he thought arguing the case for people after they had experienced a violation was ineffective compared with trying to explain ethics to students. Or maybe he just thought it less stressful.

The Supreme Court has repeatedly held that authorities may not conduct searches for general law enforcement purposes without individualized suspicion. Although convicted criminals have a diminished right to privacy, searching a database for unknown kin might violate that principle, said Jeffrey Rosen, a George Washington University law professor. “The idea of holding people responsible for who they are rather than what they’ve done challenges deep American principles of privacy and equality,” he said. “Although the legal issues aren’t clear, the moral ones are vexing.”

The article is definitely worth a read; really brings forward the underlying challenge of good/fair governance that plagues compliance and control objectives.

Edited to add (May 9, 2008):

The LA Times published an article on this topic titled “California takes lead on DNA crime-fighting technique“.

Funny title. You would think it would be a crime in America to take your DNA without your consent. It is not, and the Times apparently thinks this development makes California a “leader” in fighting crime:

The policy, which takes effect immediately, is designed to work like this: The state’s crime lab will tell police about DNA profiles that come up during routine searches of California’s offender database and closely resemble, but do not match, the DNA left at a crime scene. (Previously, the state refused to tell police about these partial matches.)

The lab will then perform calculations and tests to determine the likelihood of a biological relationship between the person found in the database and the unknown offender believed to have left DNA at the crime scene.

When such partial matches do not surface or fail to produce a lead, a more customized familial search can be done in which computer software scans the database proactively for possible relatives. The software measures the chance of two people being related based on the rarity of the markers they share.

So, California is the first state to require a “customized familial search” and supposedly has a set of safety measures — family DNA privacy is violated only after all other leads run dry. The LA Times does not give any details other than to say they exist. Not very convincing.

Consider, for example, the following comment on a Washington Post story about the same:

The secret use of Ms. Rader’s DNA is reprehensible, and certainly would not pass a constitutional challenge. However, to make it very clear, we do need a federal law that would ban the use of DNA taken from a non-suspect for a specific purpose from being used WITHOUT CONSENT for different purposes having to do with other people. Additionally, in the Rader case, has anyone considered that this is simply laziness by the police force? Dennis Rader was already the prime suspect; why did they not obtain DNA from the suspect himself — a cup, tissue, straw, cigarette, utensil, etc? As with fingerprints, that is not prohibited by the 5th Amendment.

Excellent insight.

Incidentally, the new law in California is backed by Jerry Brown, a former governor who defeated Ronald Reagan in the 1966 election. He is known for things like opposition to the death penalty, opposition to the Vietnam War and hosting a populist talk-show radio program on Pacifica Radio in Berkeley. Not exactly the sort of guy you would expect to be in this anti-privacy position.

The LA Times article quotes Brown to give his perspective:

Brown said the new approach was justified by violent crime plaguing the state. He emphasized that it would be used only when all other leads had been exhausted.

“We have 2,000 murders a year in California — that is 10,000 since the Iraq war started — and that is a lot of killing,” Brown said. “When you see it and see the victims and have to go to funerals, it is pretty serious stuff.”

I can understand if a suspect search is done in terms specific to that person (e.g. tall, dark, light, fat, wearing x, y, z) but searching through a family’s private records without their consent appears to be a step backwards in terms of security and safety of the public. I suspect (no pun intended) that there are better methods to explore that would reduce violent crime without significant loss of privacy. I fear bad management of this provision and expanded access to DNA data will do more damage than good.

The Associated Press tells a moving story about a bald eagle who has struggled with survival after a violent attack by humans:

Part of Beauty’s beak was shot off several years ago, leaving her with a stump that is useless for hunting food. A team of volunteers is working to attach an artificial beak to the disfigured bird, in an effort to keep her alive.

“For Beauty it’s like using only one chopstick to eat. It can’t be done” said biologist Jane Fink Cantwell, who operates a raptor recovery center in this Idaho Panhandle town. “She has trouble drinking. She can’t preen her feathers. That’s all about to change.”

Cantwell has spent the past two years assembling a team to design and build an artificial beak. They plan to attach it to Beauty this month. With the beak, the 7-year-old bald eagle could live to the age of 50, although not in the wild.

The odd thing to me about this heroic effort to me is how it compares to the treatment of Eight Belles after the horse won a second prize for its owners $400,000 in the Kentucky Derby. I have refrained from commenting on the horse until now because I was hoping to hear more from the owner perspective, but his latest statement concerns me even more than before:

“We have photos 50 to 70 yards from where this happened and the horse had her ears up and she was happy,” Jones told Reuters in a telephone interview on Monday.

“If this horse had anything going on with her at the time, she didn’t know it. If the horse never had a clue, there’s no way the jockey could have had a clue.”

About a quarter-mile after finishing second to Big Brown in the $2 million Derby, Eight Belles collapsed on the Churchill Downs track with two shattered ankles and was put down by lethal injection.

Compare/contrast. Innovation to save a life versus…?

If the horse was happy and did not know only moments before that she would break her legs…why not spend some of her winnings to find a way to survive the injury and help other horses prevent similar injuries or recover from them as well?

I do not claim to understand animal science or medicine, but I see the bald eagle story as inspiring while the Derby incident feels like the opposite. Why did the horse have to be put down immediately? Conventional wisdom seems to suggest that horses can survive fractures, and the owners must have health insurance. I am sure any number of experts will be called upon to explain the death, but think of the eagle and imagine a different ending for the prize money:

The hoof is a bit like a fingernail, and the onus is similar to a human trying to get around — fast — just on the middle toe of the foot.

That’s why a horse’s leg has to be repaired quickly and the horse has to put weight back on it quite soon. Otherwise, there’s just too much pressure on the leg that doesn’t have a partner, especially if that’s a foreleg, McIlwraith said.

Horses using just three legs will develop laminitis, a condition that doesn’t have a human equivalent.

It is not easy, clearly, to save a horse’s life. Science is helping but I guess the question is what would motivate a race horse owner to save an injured young horse or even give it up for adoption instead of euthanize immediately?

I was just listening to a presentation of how the SIEM deployment at Société Générale did not work adequately. It is not hard to figure out the vendor they used, so I’ll leave it alone here, but you might want to look it up if you own one or are considering a purchase.

Researching some of the control/compliance mistakes brought me to a site called innovation Creators where a consultant had a few blistering comments, attacking both the WSJ and Société Générale management:

Derivatives trades may be complex bets, but they do result in real money flowing back and forth. That real money comes out of real bank accounts. Eventually, the CFO has to notice. Something like

“Holy Crap!, we have 500 Million more Euros than we thought we would”

And, when your bets start to get into the Billions of Euros, if you are betting exchange traded futures, real margin calls start to happen. If you are betting OTC derivatives, other banks, with half way decent internal controls, start calling you up and asking for more collateral.

The SocGen CFO and the head of Treasury should have noticed.

Some good questions raised by the author, and useful insights, albeit a bit condemning of human error. I am most curious about how the SIEM implementation will change now, or whether they will abandon the current vendor and seek out one of the market leaders to help fix their controls.