Decoding lessons from the Facebook Consent Decree: Does Sarbanes–Oxley foreshadow the future of privacy regulation?
Document Type
Article
Date of Original Version
1-1-2021
Abstract
This paper examines the utility of the Sarbanes–Oxley Act of 2002 to assist regulators engaged in privacy policy development. By exploring best practices employed by the financial reporting industry, and the specific terms of the Sarbanes–Oxley Act of 2002, the present research offers guidance for the incorporation into privacy regulation. The paper advocates that both the FTC/Facebook Court Order and the Sarbanes–Oxley Act of 2002 should be now be considered de facto minimum standards for American privacy policy, including required CEO certifications of industry obligations, establishment and maintenance of effective internal controls, required CEO, CFO and CPO certification of control compliance, disgorgement of ill-gotten gains by organizations and executives, requirement of independent third-party compliance review as well as independence of audit committees and privacy compliance staff and, finally, the establishment of, and compliance with, a regulatory oversight board similar to the PCAOB.
Publication Title, e.g., Journal
International Journal of Disclosure and Governance
Citation/Publisher Attribution
Ryle, Patrick M., Brett L. Bueltel, Mark A. McKnight, and Judy K. Beckman. "Decoding lessons from the Facebook Consent Decree: Does Sarbanes–Oxley foreshadow the future of privacy regulation?." International Journal of Disclosure and Governance (2021). doi: 10.1057/s41310-021-00124-2.