Principles of Cybersecurity, 1st Edition page 62

Copyright Goodheart-Willcox Co., Inc. 62 Principles of Cybersecurity This law is designed to crack down on corporate fraud. Some of its provisions included creating a Pub- lic Company Accounting Oversight Board to oversee the accounting industry. Company loans to its execu- tives were banned. Rules were instituted to protect whistleblowers who came forward to report fraudu- lent practices. Some of the key provisions require executives to personally certify the accuracy of fi nancial informa- tion and statements. Violators could be penalized with up to 20 years in prison. Internal control structure and procedures have to be maintained. It is here that the IT department has a signifi cant role in protecting the information. For example, data, including fi les and e-mail, must be retained. One of the contributing com- panies that prompted the legislation was the deeds of Arthur Andersen. This was a prominent accounting fi rm. In an effort to hide actions of fraudulent work for the company Enron, employees deleted relevant fi les and shredded paper copies of the fi les and e-mail. Enron was an energy company headquartered in Houston, Texas, as shown in Figure 2-20. There have been many cases prosecuted under SOX. One of the fi rst cases involved an auditor from Ernst & Young in San Francisco. He pled guilty to destroying documents in an effort to impede an inves- tigation from the SEC. In this case, he did not physically dispose of the documents, but altered their contents. While there have been many successful prosecutions of fraud resulting from this law, there was the strange case of John Yates. Yates was a commercial fi sherman seeking red grouper off the coast of Florida. During the outing, the boat was boarded by a state Fish and Wildlife offi cer who discovered that 72 of the fi sh were undersized. On the vessel’s return to port, an examina- tion only found 69 fi sh. Yates was charged with vio- lating the Sarbanes-Oxley Act by destroying tangible evidence and convicted. Yates appealed his conviction, arguing the law applied to documents, not fi sh. After three years, the Supreme Court agreed and reversed the case against Yates. Health Insurance Portability and Accountability Act The Health Insurance Portability and Accounting Act (HIPAA) protects electronic medical records and personal health information. Any company that handles medical records or insurance information must comply with the require- ments of this legislation. It applies to medical practices and hospitals, as shown in Figure 2-21. In addition, it covers pharmacies and other businesses that handle personal health-care information. It even applies health-care-related employee information within a business. Health-care information can reveal much about a person. It can be exploited and used improperly. It can even be used as a form of identity theft in which a criminal can impersonate a victim to obtain medical care. Stolen medical records can result in fraudulent billing. Consider the case of Helene Michel of Medical Solutions Management, Inc. Over a four-year period, she used her position to enter nursing homes where she accessed and stole patient records. She then used this information to submit $10 million in false billings to Medicare. She was convicted CompTIA Security+ 5.8 KENNY TONG/Shutterstock.com Figure 2-20. The Enron Complex in Houston was the headquarters of Enron when the company was involved in fraudulent practices that led in part to the Sarbanes-Oxley Act. This building is now owned by Chevron Corporation and no longer called the Enron Complex.

Previous Page Next Page

Principles of Cybersecurity, 1st Edition Page 62 (74 of 634)

Resources and Downloads

Help