The auditor told Spaltro that Sony had several security weaknesses, including insufficiently strong access controls, which is a key Sarbanes-Oxley requirement.

Furthermore, the auditor told Spaltro, the passwords Sony employees were using did not meet best practice standards that called for combinations of random letters, numbers and symbols. Sony employees were using proper nouns. (Sox does not dictate how secure passwords need to be, but it does insist that public companies protect and monitor access to networks, which many auditors and consultants interpret as requiring complex password-naming conventions.)

Summing up, the auditor told Spaltro, “If you were a bank, you’d be out of business.”

Frustrated, Spaltro responded, “If a bank was a Hollywood studio, it would be out of business.”

Spaltro argued that if his people had to remember those nonintuitive passwords, they’d most likely write them down on sticky notes and post them on their monitors. And how secure would that be?

After some debate, the auditor agreed not to note “weak passwords” as a Sox failure.

Doing the Right Thing
Spaltro’s experience illuminates a transaction that’s rarely discussed outside corporate walls. Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation. How to (or, for some CIOs, even whether to) follow regulations is neither a simple question with a simple answer nor a straightforward issue of following instructions. This makes it more an exercise in risk management than governance. Often, doing the right thing means doing what’s right for the bottom line, not necessarily what’s right in terms of the regulation or even what’s right for the customer.

“There are decisions that have to be made,” Spaltro explains. “We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What’re the most important things that are absolutely required by law?” Spaltro does those, noting that “Sony is over-compliant in many areas,” and he says that Sony takes “the protection of personal information very seriously and invests heavily in controls to protect it.”

He adds that “Legislative requirements are mandatory, but going the extra step is a business decision” based on what makes business sense.