Covered Entities: Corporate Financial Organizations
Governed by the Securities and Exchange Commission (SEC)
Passed in 2002 because of numerous large accounting scandals, the Sarbanes-Oxley Act (SOX) is a law enacted by the Securities and Exchange Commission that sets forth standards for recording and reporting of corporate financial activities. Prior to Sarbanes-Oxley, there was little government oversight and virtually no possibility of criminal prosecution for the board members of publicly traded companies, some of whom therefore fraudulently misrepresented their books and earnings, causing catastrophic financial damage to millions of investors. Remember Bernie Madoff?
A key part of Sarbanes-Oxley involves record retention. To maintain SOX compliance, businesses must retain their records for a set period of time. Covered records include any documents with financial or sensitive client information including financial statements; accounting records; sales reports; emails; memos; instant messages; bank statements; and invoices, to name a few.
While there is no set regulation for the disposal of covered records, SOX makes it clear that records must be meticulously and accurately maintained without alteration. Since it is not possible to keep all records indefinitely (and in some cases is illegal, depending on whether this private information is covered by another data security regulation), organizations that fall under SOX should dispose of records upon expiration using, at a minimum, NIST 800-88 data disposal requirements. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of records covered by SOX following NIST 800-88 protocols.