Watching the President’s State of the Union and his calling upon Congress to enact legislation to better protect our personal information, I started wondering how much good we’ve actually gotten from regulatory compliance standards like HIPAA and Sarbanes-Oxley already in place. I knew I couldn’t dismiss them as useless, but I wanted to look for a model of regulatory compliance that’s been steeping longer from which I could reel some parallels to the current state of information privacy.
California’s air quality law — and subsequent state and federal legislation — was an acknowledgement that progress comes at a price. But environmental regulations are themselves an admission that we cannot completely eliminate the dangers associated with modernity; they are instead an attempt to mitigate the risks.
Los Angeles was still something of a sleepy outpost on America’s burgeoning West Coast when oil was discovered there in the 1890s. According to the 1900 U.S. Census not many more than 100,000 people called L.A. home. The oil boom and a growing film industry attracted enough people through the 1910s that the population quintupled to over a half-million by 1920. Growth continued during the next two decades when the concurrent Great Depression and Dust Bowl catastrophes touched off a westward migration that saw hundreds of thousands of people move from America’s Midwest and relocate to California in search of work.
In 1943, industry and automobiles resulted in the first report of smog in the city. By 1947, Los Angeles’ toxic air had become so problematic that Governor Earl Warren signed the Air Pollution Control Act, thus beginning the age of environmental law.
You might say the Air Pollution Control Act was the first piece of regulation that endeavored to protect people from “the cloud.”
Information and cloud security can take a lesson (and solace) from the pages of environmental law. Despite early attempts at regulation, air quality grew far worse before it got better. We’ve learned more about the dangers and how to better reduce their effects, and so it is with protecting and managing data.
Protecting data in the cloud
As with environmental stewardship, there should be laws in place that create incentives for implementing strong data security practices in the context of cloud adoption. Once again California took the lead with the passage of landmark data breach notification law, SB1386, in 2002. More state and federal laws have followed, including HIPAA/HITECH, Gramm Leach Bliley, Sarbanes-Oxley, Massachusetts 201 CMR 17, PCI DSS and others.
The problem is that the legislative process unfolds based on the lessons of the past while technology advances with an eye toward the future. Attempts to write novel law that anticipates and remedies the unknown and adverse effects of technological innovation can have unforeseen and detrimental consequences, such as discouraging further innovation or the adoption of needed innovations.
Reliance on regulation can also have the effect of directing resources inefficiently — to appease auditors rather than address problems that need solving. In fact, the nature of the third party audit trade itself would seem to reward a pursuit of repeat business rather than effective compliance.
At the same time, CIOs are paradoxically chartered to be both compliant (ticking the box) and innovative (thinking outside the box). Software-as-a-service (SaaS) adoption is a good example of this double standard. Business units demand tools like Salesforce.com, Marketo and SuccessFactors, but compliance teams and auditors raise red flags over lack of data governance and unclear privacy accountability. To outsiders looking in, the need to keep up with progress is self-evident, but doing so in the context of our current regulatory environment puts those who follow the rules at a clear disadvantage.
Looking back at air pollution regulations, California’s compliance standards actually made it more difficult for Californians to buy low emission diesel cars in the previous decade because the idea of a low emission diesel vehicle was not considered by those who created the law. Therefore, in California, it was illegal to sell cars which polluted less than their standard gasoline powered equivalents simply because they were “diesel powered.” Regulators eventually caught up to the times in 2012 when California passed the LEV (Low Emission Vehicle) III regulations.
It is urgent that CIOs regularly examine the impact of regulation on productivity because, unlike California, enterprise IT can’t afford to wait a decade for compliance to catch up to the needs of their business.