The amendment generally would have made the much discussed Section 404, which includes data security requirements, of SOX optional for SMBs with market capitalization of less than $700 million, with revenue of less than $125 million, or with fewer than 1,500 shareholders.

Senator Jim DeMint of South Carolina was the amendment sponsor, and he criticized the defeat, stating that SOX auditing regulations unfairly burden businesses.

"This was our best chance at real reform, but many senators turned their backs on American small businesses. We can’t pretend to make America more competitive while ignoring burdensome regulations that are devastating small businesses. Sarbanes-Oxley is crippling American businesses and we’re quickly losing our ability to compete in the global economy.”

However, several other groups, such as the AFL-CIO, opposed the amendment. The April 30 issue of Bureau of National Affair's Privacy & Security Law (a subscription site) reported that the AFL-CIO sent a letter to Senate Banking Committee Chairman Christopher Dodd and the committee's ranking member, Sen. Richard Shelby, within it stating:

"The internal controls provisions of Sarbanes-Oxley embody the common sense proposition that no company should be able to offer securities to the investing public without having adequate internal controls to ensure its financial statements are accurate and not fictional. Companies that cannot manage this basic task should not be public companies."

I agree all business must follow sound financial procedures, and all organizations that handle personally identifiable information (PII) must have appropriate safeguards in place, which includes documentation and logging to demonstrate due diligence and create verifiable responsibility.

I also believe that many accounting firms, many of them some pretty big ones, and many so-called SOX compliance vendors, have taken advantage of SMBs' fear, uncertainty, doubt (FUD) and lack of knowledge of SOX requirements and have told SMBs that they must do much more to be in compliance with SOX than is really necessary.

Organizations need to establish proper documentation for their own specific business, implement safeguards to meet the risks of their own particular organization, and take a common sense approach to protecting PII while at the same time meeting regulatory requirements as appropriate for their own organization.

If a vendor is telling you that you must do what seems like inordinate actions and excessive money to be in compliance, go get another opinion from another vendor, or ask an experienced consultant who can give you an opinion about the work proposal. Don't let a vendor use FUD to scare you into spending more money than you need to meet compliance and to have a properly secured business.