Regulations Cant Keep Up

Opinion: Hewlett-Packard's spying scandal and other sagas show the failure of the compliance movement.

Riddle me this: in this era of Sarbanes-Oxley, HIPAA and more regulations than I can keep track of, why does there continue to be a stream of outrageous corporate technology failings? Lets look at three of the most recent.

The first is the ongoing seedy saga of Hewlett-Packards top board member and other HP executives engaging in corporate spying on HPs own board members and employees and on journalists.

Wasnt Sarb-Ox, written four years ago in the wake of major accounting scandals at the likes of Enron, supposed to bring accountability and responsibility to the boardroom? The amount of money and time spent on regulatory compliance has been staggering, yet all those regulations have done little to thwart a company deciding to engage in unethical and possibly illegal practices to root out someone leaking corporate information.

Last week, regulators were called to Capitol Hill to provide an update on and defend the state of regulatory compliance. It seems more and more likely that change (in either loosening some regulations or lengthening the time for compliance deadlines) will happen during this legislative session.

The chief complaint I hear from tech execs about compliance is that, many times, regulations call for incredibly detailed reporting on products and processes (often with a joke about the need to detail the process for buying coffee included in the discussion) but miss the bigger violations that might be taking place.

While public companies are under orders to track and archive all e-mail, what about a process where a company chairman can go out and hire private investigators to track down a corporate leak? Where was SarbOx when those private detectives were being signed up to cull through the phone records of those under suspicion?

Coming in behind the HP scandal, and apparently far more widespread, is the stock-option-backdating scandal that, according to BusinessWeek, involved more than 100 public companies, many of which are high-tech.

At issue is the practice of backdating when companies award stock options retroactively to provide the option holder with the highest stock price gain. The process is an affront to shareholders and company employees too low on the money chain to take part in the financial reward system.

Wasnt SarbOx supposed to stop these types of financial shenanigans? Regulatory compliance has become one of the great drivers of IT spending, yet all that spending apparently missed the ability to send up a red flag when an option date was retroactively changed or granted.

Before regulators set about trying to "fix" the current system by asking for even more detailed reports, they need to ask themselves how something as apparently widespread as stock-option backdating could exist under the current regulatory environment.

The third area where regulatory oversight missed a burgeoning problem was the recent laptop recalls resulting from contaminated batteries.

/zimages/7/28571.gifWhat lessons can be learned from the Hewlett-Packard scandal? Click here to read more.

Last week, Toshiba joined several other computer makers engaged in recalls when it announced it was recalling 340,000 laptops worldwide.

The Toshiba recall was related to the batteries suddenly losing power and was far less serious than the recalls by Dell and Apple, which were due to their products potential fire problems. All the battery woes seem to lead back to batteries supplied by Sony.

Maybe Im missing something here, but these recalls seemed to follow a consistent process. First, blog entries popped up talking about battery issues. Vendors said they were looking into the issues and, after a period of weeks or months, suddenly issued a recall notice.

During that time, consumers were left in the dark to figure out whether their product was safe or unsafe. I always thought one goal of increased regulatory compliance was to make the operations of public companies more transparent.

Making the product-complaint-and-resolution process more transparent would be a noble goal for lawmakers looking to reshape the current state of regulation.

Editorial Director Eric Lundquist can be reached at

/zimages/7/28571.gifTo see reader response to this article, click here.

/zimages/7/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.