Forensics Journal - Stevenson University 2013 | Page 58

FORENSICS JOURNAL The U.S. Sarbanes Oxley Act was created in an effort to eradicate financial statement fraud by publicaly traded corporations. The reporting requirements of U.S. companies under the Sarbanes Oxley Act of July 30, 2002, conflict with Directive 95/46/EC. The Sarbanes Oxley Act requires companies to establish a code of ethics and to implement methods which permit the anonymous reporting by employees of questionable “financial improprieties.” This has resulted in the implementation of telephone hotlines or fraud hotlines by U.S. companies for the reporting of suspected incidents of fraud. The implementation of hotlines by American multinational companies at European subsidiary operations conflicts with the Directive and the separate privacy laws enacted by Member Countries (Bennett). For example, France determined that hotlines violated, “French principles of individual privacy, human rights and human dignity” (Bennett). A German labor court found that Walmart’s corporate code of ethics may violate German’s privacy laws, because it requires employees to report suspected violations of the corporate code of ethics (Bennett). The Directive requires companies to, “implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular when the processing involves the transmission of data over a network, and against all other unlawful forms of processing” (Directive: Article 17(1)). American multinational companies abdicate their control function when they opt to use cloud computing services, outsourced suppliers, and third party providers. If the cloud computing services use “server virtualization,” the collected confidential data may be stored in “containers” on the same server along with another company’s data (Manning, 20). Although, there may be no threat to the data, a study performed by the National Computing Centre found that cloud computing services can experience systems failures, data loss, data corruption, and data theft (Armstrong, Burnett, and Davis). Therefore, it is imperative that American multinational companies enter into binding data protection agreements with cloud computing services whose security measures meet the stringent standards of the Directive and the Member country’s own privacy laws. THE DANGERS OF CLOUD COMPUTING American multinational companies face another challenge in complying with European privacy laws when their European subsidiary operations contract with third parties for information technology and cloud computing services. With companies seeking to streamline business operations and cut costs, the use of virtual servers to store data and software applications offered by cloud computing services has dramatically increased in the last few years. Companies can simply subscribe to cloud technology services with a credit card as these service providers allow users to access data at any time from any device. THE U.S.-EUROPEAN UNION SAFE HARBOR FRAMEWORK To facilitate trade between Europe and the United States, the European Commission and the U.S. Department of Commerce’s International Trade Administration negotiated an arrangement, agreeable to both, for the acceptable flow of protected data from the European Union to the United States. The result was the U.S. European Union Safe Harbor Framework. The principles stated in the Safe Harbor Framework reflect a convergence of U.S. privacy standards and the European Commission’s requirements for the adequate protection of personal data (United States Department of Commerce, Introduction). Although, utilizing cloud computing technology is easy and cost efficient, the actual location of the stored data may be difficult to ascertain. The movement of data from a European subsidiary location to the U.S. headquarters office may be routed through a number of Member countries. To lawfully move the personal data, without violating European privacy laws, it is necessary