Forensics Journal - Stevenson University 2013 | Page 58
FORENSICS JOURNAL
The U.S. Sarbanes Oxley Act was created in an effort to eradicate
financial statement fraud by publicaly traded corporations. The
reporting requirements of U.S. companies under the Sarbanes Oxley
Act of July 30, 2002, conflict with Directive 95/46/EC. The Sarbanes Oxley Act requires companies to establish a code of ethics and
to implement methods which permit the anonymous reporting by
employees of questionable “financial improprieties.” This has resulted
in the implementation of telephone hotlines or fraud hotlines by U.S.
companies for the reporting of suspected incidents of fraud. The
implementation of hotlines by American multinational companies at
European subsidiary operations conflicts with the Directive and the
separate privacy laws enacted by Member Countries (Bennett). For
example, France determined that hotlines violated, “French principles
of individual privacy, human rights and human dignity” (Bennett).
A German labor court found that Walmart’s corporate code of ethics
may violate German’s privacy laws, because it requires employees to
report suspected violations of the corporate code of ethics (Bennett).
The Directive requires companies to, “implement appropriate technical and organizational measures to protect personal data against
accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access, in particular when the processing
involves the transmission of data over a network, and against all other
unlawful forms of processing” (Directive: Article 17(1)). American
multinational companies abdicate their control function when they
opt to use cloud computing services, outsourced suppliers, and third
party providers.
If the cloud computing services use “server virtualization,” the collected confidential data may be stored in “containers” on the same
server along with another company’s data (Manning, 20). Although,
there may be no threat to the data, a study performed by the National
Computing Centre found that cloud computing services can experience systems failures, data loss, data corruption, and data theft (Armstrong, Burnett, and Davis). Therefore, it is imperative that American
multinational companies enter into binding data protection agreements with cloud computing services whose security measures meet
the stringent standards of the Directive and the Member country’s
own privacy laws.
THE DANGERS OF CLOUD COMPUTING
American multinational companies face another challenge in complying with European privacy laws when their European subsidiary
operations contract with third parties for information technology and
cloud computing services. With companies seeking to streamline
business operations and cut costs, the use of virtual servers to store
data and software applications offered by cloud computing services
has dramatically increased in the last few years. Companies can
simply subscribe to cloud technology services with a credit card as
these service providers allow users to access data at any time from any
device.
THE U.S.-EUROPEAN UNION SAFE HARBOR FRAMEWORK
To facilitate trade between Europe and the United States, the European Commission and the U.S. Department of Commerce’s International Trade Administration negotiated an arrangement, agreeable
to both, for the acceptable flow of protected data from the European
Union to the United States. The result was the U.S. European Union
Safe Harbor Framework. The principles stated in the Safe Harbor
Framework reflect a convergence of U.S. privacy standards and the
European Commission’s requirements for the adequate protection of
personal data (United States Department of Commerce, Introduction).
Although, utilizing cloud computing technology is easy and cost
efficient, the actual location of the stored data may be difficult to
ascertain. The movement of data from a European subsidiary location to the U.S. headquarters office may be routed through a number
of Member countries. To lawfully move the personal data, without
violating European privacy laws, it is necessary