Corporate scandals, fiscal mismanagement, and poor choices in governance have made the public wary of large companies. In response, the government has enacted legislation such as Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley to make sure that America’s corporations are keeping their ducks in a row, and their hands out of the corporate cookie jar. To their credit, corporations have responded well, taking on their legislative challenge and implementing far-reaching changes.
For the most part, these pieces of legislation are aimed at large corporations, and in the case of Sarbanes-Oxley, corporations that are publicly traded. But, that doesn’t mean that the rest of us are not also subject to some oversight. Smaller businesses too, although they may not be subject to these laws, in many cases must still comply with the spirit, if not the letter of the law, if they wish to do business with the big guys.
Here’s an example. California SB 1386, known as the California Information Practice Act, states that any company doing business in California must disclose breaches of information security. It sounds arcane, and it sounds like it’s limited to a single state, but this is one that reaches far beyond its intended audience. Under this law, if a breach of security has possibly compromised a database containing personal information of a California resident, the company has to issue a disclosure. No company wants to admit they’ve been broken into – but this law requires it, and is a major step towards stopping identity theft. Besides affecting California companies though, it affects any company in any state that does business in California, and any online business that has customers in California. Even if your company doesn’t have a California branch, it’s very likely that you have a contract with someone who does – so in effect, this piece of state legislation has become de facto national legislation. It affects everyone. If you have a company of any size, chances are you have at least a finger in the state of California somewhere. And if you are a small business that has a contract with a larger business, chances are, regardless of your location, you are liable to comply with this piece of legislation.
So too with Sarbanes-Oxley. This piece of legislation directly affects only publicly-held companies, but it could also have an impact on smaller businesses as well. These corporations must ensure that their financial data is secure and uncompromised. Since most corporations outsource a great deal, it’s very likely that some piece of financial data is being maintained by a third party. Public corporations must now not only guarantee that they are compliant, but they also must guarantee that all of their suppliers, contractors and outsource houses are also compliant, regardless of whether those third parties are directly mandated by the government to comply.
Many larger companies have implemented far-reaching corporate changes to comply with these pieces of legislation, often creating a new executive position of Compliance Officer, and in some cases spending millions of dollars on studies, new software, and new staff members. The regulatory burden is of course greater on those companies who are directly mandated. This doesn’t mean that small companies will be put out of business by such legislation however – but there’s no doubt that complying, even if you are not directly mandated to do so, will give you a competitive edge. It won’t be unusual for a large company looking for a contractor to require suppliers to be compliant with legislation such as Sarbanes-Oxley. For a smaller company, this may mean something as simple as implementing proper security precautions such as a firewall, strong authentication, and encryption of sensitive data. In some cases, small companies that have been attentive to security all along, will find themselves already compliant, and will gain a big leg up when bidding for contracts with the big boys.