As U.S. industry waits to see how the president’s call for new digital security law translates into actual legislation, it may be useful to look to other regulatory regimes to set reasonable expectations for establishing national standards for privacy and data protection. The logical inclination would be to look at existing, related regulations like HIPAA and Sarbanes-Oxley. But as technologies such as cloud computing, mobile and the Internet of Things disrupt the landscape there may be a better exemplar: environmental law.
Legislative efforts to address air pollution began in the mid-20th Century with California’s landmark air quality law. What began with the Golden State’s oil boom in the late 1800s when Los Angeles boasted a population of barely more than 100,000 grew through to the 1940s when the West Coast had become a magnet for entertainment, shipping and industry the city’s population mushroomed to more than 1.5 million.
As a result of the influx of people, automobiles and other trappings of modernity 1943 saw the first reports of smog in Los Angeles. The problem got so bad that in 1947 Governor Earl Warren signed the Air Pollution Control Act, thus beginning the age of environmental law—and the first regulation written to protect the public from hazardous clouds!
But passing a law didn’t eliminate the problem of smog. Indeed, the situation became a lot worse, but it started a process that enabled continued improvement as we learned more about smog’s causes and remedies. Those lawyers and legislators working on data and privacy protection can learn from the experience. We can’t try to stop the march of progress, nor can we turn back its clock.
Few will argue that air quality standards and environmental regulations are a bad thing; likewise there should be laws in place that create incentives for implementing strong data security practices. And as with the Air Pollution Control Act in 1947, California led the way with on privacy law with the passage of its data breach notification law, SB1386 In 2002. More state and federal laws have followed, including HIPAA/HITECH, Gramm Leach Bliley, Sarbanes-Oxley, Massachusetts 201 CMR 17, PCI DSS and others.
Just as the Air Pollution Control Act and subsequent regulations responded to an existing problem rather than attempt to remedy situations that did not yet exist, data security and privacy laws should evolve same way. Acknowledge that there are risks, but do not discourage innovation by trying to prevent the unknown. To the contrary, give innovators room to develop new approaches and solutions.
After all, we know that an over-emphasis on regulation can have the undesirable effect of directing resources inefficiently—to appease auditors rather than address problems that need solving. In fact, the nature of the third party audit trade itself would seem to reward a pursuit of repeat business rather than effective compliance.
For example, California’s Air Pollution Control Act actually made it more difficult for Californians to buy low emission diesel cars because they didn’t exist when the law was written. According to the law there was no difference between older diesel engines and clean diesel technology, which was introduced in 2007. It took five years for California to catch up when in 2012 it passed the LEV (Low Emission Vehicle) III regulations.
We see the results of this conflict in CIOs who are paradoxically tasked with being both compliant (checking boxes) and innovative (thinking outside boxes). Cloud adoption is a good example of this double standard as businesses demand SaaS tools like Salesforce, Marketo, and Successfactors, but compliance teams and auditors raise red flags over lack of data governance and unclear privacy accountability. To outsiders looking in, the need to keep up with progress is self-evident, but doing so in the context of our current regulatory compliance environment puts those who follow the rules at a clear disadvantage.
CIOs, CPOs and CISOs must constantly examine the impact of regulation and be an active participant in the process. Unlike California, enterprise IT can’t afford to wait a decade for compliance to catch up to the needs of their business.