August 14, 2013
Consider the push to require companies to notify customers in the event of a security breach that involves their private information. A no-brainer, right? But what happens when 20 or 30 or 40 states insist on crafting their own breach-notification laws, and they overlap and/or conflict with one another? A case in point is a Texas bill that Gov. Rick Perry signed on June 14, which requires any person who conducts business in the state to notify "any individual" whose information was involved in a breach, ostensibly extending the Texas law to all U.S. residents. As Morrison & Foerster attorney and InformationWeek contributor Nathan D. Taylor wrote in a column on this hairball of a proposed law, it raises all kinds of commercial and constitutional questions -- and related costs.
There's a regulation or set of guidelines governing just about everything: food, energy, rent, transportation, fishing, medicine, gambling, securities trading, outer space. Licenses are required to become not just doctors, lawyers, electricians, plumbers and financial planners, but also (depending on the state and locality) funeral directors, real estate agents, manicurists, hairdressers, sprinkler installers, armored car guards and horse track exercise riders. The rent-a-cops enforcing the concession monopoly on Long Island's Jones Beach used to physically chase me as a 14-year-old boy because I didn't have a license to sell Italian ices to sunbathers. (Those portly patrolmen never did catch me, even as I fled lugging a Styrofoam cooler packed with Marino's ices.) Rough estimates put the percentage of U.S. occupations that require a license at about 20%; many of them require no test of competency -- they're just another tax on business. People like the sound of more rules and regulations as a matter of principle, because they're intended to protect consumers, employees and society at large. And many regs do just that. Environmental, construction and pharmaceutical codes and tests come to mind. They're critical. Look at China for an example of a country in chaos because of a lack of regulatory oversight. But even the best regs tend to go overboard, and they pile up quickly, as do the unintended consequences of innovation-sapping bureaucracy, specious lawsuits and other direct and indirect costs ... which businesses just pass on to their customers. When laws and regulations prove to be overly broad or imprecise, they live on (and on) anyway, due to inertia or the thinking that a flawed rule beats none at all. Remember the Can-Spam Act, put into practice in 2004? It canned nothing; it only nabbed a handful of trophy offenders while conning people into thinking it would unclutter their inboxes. Yet is there any talk of repealing this bureaucratic waste of taxpayer money and government effort? I'm not optimistic things will change. Regulatory overload goes back many years. In 2006, a frustrated VP of IT told me: "There are weeks, even months, that go by when I don't feel like I'm doing anything for my company because all I'm doing is complying with Uncle Sam. It's just insane." Said another IT exec at the time: "I'm not driving jack. I'm being driven. We're all being driven by lawyers." For every new regulation we create, we should be required to retire at least two that have outlived their usefulness. That's right: We need a new regulation to regulate regulation sprawl. Lord help us.
About the Author(s)
You May Also Like
Perspectives on Security for the Board - 3rd Edition
Perspectives on Security for the Board: Edition 3
Entering the era of generative AI-enabled security
KVM Switch High Performance Applications with Dominion KX III
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Acceleration