Decisions about complying with Sarbanes-Oxley, HIPAA and other rules is often an exercise in risk management and negotiation.
