Robert X. Cringely:
In the 1980s, we called them “corporate raiders.” In the 1880s, we called them “robber barons” — guys like Daniel Drew, Jay Gould, and Jim Fisk, who were the Ivan Boeskys and Michael Milkens of their era. No matter what the century, their game was the same, using other people’s money to take control of businesses and build empires.
Sometimes it was legal, often it wasn’t, but on the whole they got away with it, though at some cost to society. We’ll get ready to go through it all again as a new era of robber barons begins, this time based primarily on the aggressive use of Information Technology.
We can argue whether IT has been good or bad for the world, whether it even shows a return on investment, but there is no doubt that it has changed the way things work. Part of that change was reflected in the shenanigans of looting pension funds in the 1980s and cooking books in the 1990s — both trends made possible in large part by computers. And society’s response to those abuses has also come in the form of Information Technology with the passage of a wide variety of laws to mandate the prolonged storage of corporate data or the protection of personal information. In the U.S., these laws go by names like Sarbanes Oxley (SOX), HIPAA, GLBA, and FERC, but they have their corollaries in most other developed countries. The short version of all these laws is that businesses are now held responsible for never throwing anything away if it can be held in digital form and for defending consumer data from theft or misuse.
So what’s the problem? Disk storage is cheap and getting cheaper, so in the most basic sense, complying with these new laws and regulations should be fairly simple. We already store data in digital form, so just stop erasing it. Oh, and keep the bad guys out of our personal information.
Only it isn’t that simple. The laws, themselves, are arcane and sometimes difficult to interpret correctly, but mainly companies are incompetent and lazy. To archive data requires first knowing where that data is. And safeguarding data that has already been compromised, well, that’s just impossible, isn’t it?
The sad fact is that hundreds of thousands of companies and organizations — everything from your bank to your school to the electric company — are probably not in compliance with at least some parts of these regulations. Governmental inertia would therefore indicate that with so many out of compliance that heads aren’t likely to roll as a result. But in this case, that would be an incorrect assumption simply because interested third parties are about to become involved.
Those third parties would be the new robber barons.
Here’s an example of how it will work. Imagine your bank is a medium-sized publicly traded bank headquartered in the U.S. midwest with a national charter (that is, regulated by federal, rather than state, banking authorities). Now imagine your bank is not in compliance with Section 404 of Sarbanes Oxley. Section 404 requires as part of the regular audit process that the bank’s accounting firm (generally one of the Big 4) certify whether or not the bank is Section 404 compliant. Accounting firms, having paid billions in penalties recently for overlooking accounting errors at companies like Enron and Tyco, aren’t going to be lax about this provision. If the bank isn’t Section 404 compliant, which means they haven’t applied sufficient internal controls to data, the auditors will report that.
Well, if your bank isn’t in compliance (many won’t be), they’ll have to very quickly get in compliance. They’ll also have to pay a fine and perhaps one or more officers of the bank will do some time in prison. Really.
But there is a funny thing about banks, and that’s the way they are regulated and controlled, which makes possible a very different outcome in the case of a Section 404 violation. Technically, the bank can’t even continue to operate, because the legal definition of a bank is as a compliant organization. So a very real possibility is that your bank will be forced to merge with another bank that IS in compliance.
That’s the new scam. Big banks with sophisticated IT operations are going to appear at the doors of smaller, less sophisticated, banks literally demanding the keys. They’ll take over the building, the tellers, and of course the deposits for a price tag that may well be zero.
That’s a heck of a deal for everyone except the bank’s current shareholders.
The big accounting firms are in overall control of this process, which will also generate big fees for them as banks are consolidated. There are right now larger banks ready to adopt this new growth strategy AND IT WILL WORK. Look for this sort of consolidation to take place throughout the financial industry at all levels.
Take credit unions, for example, which have generally been immune to outside interference, hold hundreds of billions of dollars in deposits, and tend to loan money for lower interest rates than do banks. Big banks would love to be able to take over credit unions or put them out of business, but up until now that’s been impossible. Well under Sarbanes Oxley, “sufficient control” can mean many things.
Consider a credit union that becomes a victim of cyber crime. Somebody cracks the system and makes off with a few hundred thousand dollars. This happens more than we’d guess because financial institutions tend not to make such public announcements, BUT THEY CAN’T HIDE IT FROM THEIR AUDITORS. Theft is the very definition of insufficient control (“I lost control of the money, officer.”), which means it violates Section 404.
These laws, especially the Gramm-Leach-Bliley Act of 1999 (GLBA), now make the victim of cyber theft into a criminal. And under Sarbanes Oxley, directors are held liable and can be sent to jail. As a director of a local credit union, would you rather do hard time or hand over the keys to the big bank from across town? You’ll hand over the keys.
Though the regulatory issues are a little less clear cut, Section 404 applies to public companies of all types and will probably be used to force the consolidation of many in the next couple years, with the more technically sophisticated outfits generally benefiting the most. If a bank can acquire other banks using security laws and regulations at a discount to par value, why not any public company that can’t find a way to comply with SOX? An interesting problem for a Board of Directors; sell the company or meet the SEC and Federal Regulators over SOX 404 compliance?
It’s not as hard to do such a takeover as one might imagine. Section 404 non-compliance, for example, would probably violate the provisions of most senior debentures issued by many companies, often long before Sarbanes Oxley was even proposed. Imagine a scenario, then, where a robber baron buys or otherwise comes to control some of that senior debt. A Sarbanes Oxley violation would make it possible to call the debt, which if it can’t be immediately repaid would result in the company being simply handed over to the creditor with no regard for holders of common stock. THIS WILL HAPPEN.
The new robber barons, if I can over-generalize, will tend to be from the West Coast, not from New York. Notice the accounting scandals of recent years have involved few West Coast companies, which tend to be younger and more astute about IT. With the likely exception of CitiBank, this next wave is going to hurt Manhattan, not help it.
What this means for the IT profession is a rapid appreciation in the value of a Security CCIE (Cisco Certified Internetwork Expert) especially if that CCIE comes with a Federal security clearance. There are presently only 494 Security CCIEs. It means a boost for IBM and Oracle, and a kick in the head for Microsoft and Great Plains. It is good for datacom companies and bad for telecom companies. And it is the best time ever to be a Big 4 accountant.
One has to wonder, though, whether any of this makes us safer as individuals and consumers. I doubt it. We’ve just bulked up the bureaucracy, added an extra layer or two of regulation, and for what? Some of these regulations have been around in one form or another for decades without positive or negative impact, only now the climate has changed, they’ll be enforced, and none of us will feel the least bit better for it.
Take FERPA, the Family Educational Rights and Privacy Act enacted in 1974 to protect student educational records. FERPA has been in effect for over 30 years, pertaining to any school, public or private, that receives funds under any program from the US Department of Education, which is to say ANY school. FERPA makes it a felony to disclose even portions of most student records. Now that most of those records are digital and we can supposedly track where they are and who has access, are we going to do what the law would seem to require — immediately throwing most U.S. school administrators into prison?
It takes more than a law to make us safer. Privacy and accountability are important things to protect, but what I’ve described here seems to mainly create a climate for manipulation and greed. We live in an information age and the importance of IT for organizations of all types can’t be over-emphasized, but I can only wonder, what’s next?