ABSTRACT
People do not trust institutions when they believe that the appropriate policies to deter abuse are lacking or not being enforced. When the public trust is threatened, often new regulations and policies are put into place to restore trust. For example, Enron was a leading energy company in the 1990s that went bankrupt in 2001. Enron’s pensioners, employees, and ordinary shareholders suffered huge financial losses while Enron’s top management made hundreds of millions of dollars from selling stock at prices inflated by fraudulent financial reporting. Instead of stopping the fraud, Enron’s accounting auditor Arthur Andersen helped carry it out, then tried to destroy the evidence [4]. To restore public trust in the financial accountability of publicly traded corporations, Congress passed the Sarbanes-Oxley Act (SOX) [230] in 2002. To comply with SOX, companies have had to make fairly expensive changes to their IT processes; Congress’s intent is that the cost of these changes is much less than the cost to society of not being able to trust corporate financial reports. Similarly, compliance with the Health Insurance Portability and Accountability Act (HIPAA) [100] has been quite expensive, but presumably much less than the societal cost of errors, omissions, and inappropriate disclosure of medical records. HIPAA and SOX created markets for new IT products that could increase assurances at reasonable cost. As society increases its reliance on electronic delivery of services from government, business, and educational institutions, new trust issues will continue to arise, and trust-related legislation and opportunities for new technology that increase trust will continue to grow. Already there are many major regulations that address IT trust issues, including the Gramm-Leach-Bliley Act (GLBA),1 Federal Information Security Management Act (FISMA) [83], Securities and Exchange Commission (SEC) Rule 17-a4 [212], Food and Drug Administration 21 CFR Part 11 [78], the FERPA [79],2 the E-Government Act (EGA) [73], and the Patriot Act [193]. (In what follows, we will refer to these by their acronyms.) Information management issues play a major role in these regulations, illustrating the pervasive impact of security and privacy practices in data management on finance, commerce, health care, government, and individual members of society. In the reverse direction, policymakers (Figure 19.1) can exploit new developments in IT to improve societal security and trust.
