The All-Purpose Fall Guy for Control Freaks

By Marc Fisher
Thursday, May 19, 2005

Leave the desk for 10 minutes and the computer screen goes dead. Why must I sign in all over again? "Sarbanes-Oxley," says the poor soul in the tech department.

Another memo arrives from the people who control the machines on which we work: You must now have yet another, different, impossible-to-remember password for yet another computer program, for a total of five different passwords to work on one machine. And not only must those passwords all be different, but they also must change every few weeks. Why? "Sarbanes-Oxley," comes the reply.

(A new computer program comes with the password "Welcome123." May I change that to a password I already use on another program? Sure, the technician says, but only if it contains a bizarre jumble of numbers and letters unrelated to any word in the Oxford English Dictionary. Ah. And why? "Sarbanes-Oxley," of course. So I keep "Welcome123" -- that's my password, and you're welcome to it. You'll find a bunch of half-written columns, a raft of outdated phone numbers, and -- oh, the embarrassment! -- a slew of old letters and memos that failed to win fellowships, grants, freelance assignments and raises.)

At the newspaper, everyone must now take a test that asks us to violate the ethic of journalism by refusing to talk to reporters who might call to inquire about how we do our jobs. Challenged about the contradiction, bosses say: "Ignore it. It's just something they had to do because of Sarbanes-Oxley."

This all-powerful Sarbanes-Oxley turns out to be a law Congress passed in 2002 after the Enron collapse to protect investors by forcing publicly held businesses to more accurately report information about themselves.

Nothing in the law specifically requires companies to turn cubicle life into a journey through the stages of hell. But that's how the law is being interpreted across the land. Sen. Paul Sarbanes, the Maryland Democrat who is retiring next year, has had to watch what he thought of as a guardian of ordinary investors' assets being transformed into a scapegoat for all things annoying at the office.

"You have some way-out requirements, and the company says that's what Sarbanes-Oxley says we have to do, but these changes are neither in the act nor in the regulations implementing the act," Sarbanes tells me. "I don't know where some of these things came from."

On message boards and in professional forums, computer techs are in a rage about this giant leap backward. The focus of their anger is a 170-word passage in the law that requires companies to document in fine detail how they will guarantee that their financial statements are truthful.

Businesses say they are spending millions to set up safeguards to prove their honesty to the government. But critics say those safeguards, while infuriating employees, would do little to stop a corporate criminal intent on defrauding stockholders.

A huge industry has popped up to cater to the anxieties of businesses that must comply with the law, but some advisers are counseling executives to chill out. "There is nothing about computer security in the law -- nothing," says Mark Rasch, chief security counsel at Solutionary, a computer security company with an office in Bethesda.

Computers are the favorite tool of those who want to steal money from companies, Rasch says. "If I want to steal, I have to manipulate the systems, so you need some controls. But there isn't any reason why those controls should apply to ordinary workers unless you're in the financial systems department.

"It's absurd how the law is being used to justify these silly timeouts and constant demands for you to type in your password. The law is just being used as an excuse for placing restrictions on workers."

Sarbanes sighs at how his name is being taken in vain as a nation of office workers grouses about new incursions on their time and sanity. "Some people in the business world think it's unnecessary regulation," he says, "but look at the price we paid with Enron and those scandals in losses of jobs and confidence in our capital markets. We didn't set out to create onerous requirements. We were confronted with these gross abuses, and we set out to protect the American investor."

Join me at noon today

for "Potomac Confidential" at

© 2005 The Washington Post Company