Jared Maslin and Michelle Maslin
October 2023
Today’s global data privacy landscape is comparable to that of the United
States accounting scandal era of the early 2000s: a lack of accountability, transparency, oversight, and
comprehensive regulation has led to complexity, confusion, exploitation, and distrust. Utilizing the
successful groundwork laid by the Sarbanes-Oxley Act (SOx) and subsequent regulations, companies can regain
consumer trust in the investment of their data, just as investor trust was restored post-SOx. This paper
demonstrates how privacy policies, which are intended to be public-facing documents through which notice and
informed consent decisions are based, should be treated like financial statements and Form 10-Ks: they should
be prepared using standardized formats, include privacy risk disclosures, be attested to by executive
leadership, and be subject to independent third-party audits. We also outline the benefits of not only
establishing privacy internal controls, similar to their financial counterparts, but also testing these
controls and having management attest to their effectiveness. Taking inspiration from the Committee of
Sponsoring Organizations of the Treadway Commission (COSO), we put forward our own Privacy Cube designed to
help companies understand how to navigate the establishment of a bespoke privacy control structure, beginning
with the identification of privacy risk areas. Using the “SOx Effect” model positioned in this paper, we
envision global privacy regulation and processes that focus privacy obligations on the restoration and
preservation of consumer trust.