Regulatory compliance continues to be the main driver for security spending in almost all industries. But in essence, compliance is assymetrical warfare: it costs a lot more to comply with new regulations than it does to write them.
The regulations keep on coming and lawmakers do not intend to slow down. If anything, regulation is driven by public sentiment, as was the case of the Sarbanes-Oxley Act (SOX) in the wake of the Enron scandal. So, if Enron gave us SOX, what does the current mess of financial scandals lead to? New compliance regulations seem inevitable even though businesses are groaning under the burden and complexity of all the existing regulations. Which is exactly why we need a new federal privacy law.
You might be thinking that I'm contradicting myself. If we have too many regulations already, why do we need more? Part of the problem is not the number of federal regulations, but the overlapping patchwork of local, state and federal regulations. When only giant companies operated nationally or even globally, overlapping regulations were burdensome but could be dealt with. Today, however, we are seeing the emergence of the national or global small/midsize businesses -- the mom and pop multinationals. Smaller businesses can use the Internet to expand sourcing and operations across the country or even the globe. So you end up with highly paradoxical situations in which small companies have all the compliance burdens of large multinationals, but none of the staff to support a compliance department.
Most regulations cover two broad areas: privacy and accountability. SOX is the big accountability regulation. Privacy, on the other hand, is addressed by a hodgepodge of industry specific, regional and national laws.
A list maintained by the Better Business Bureau shows 34 federal privacy laws that apply to business. Some are industry specific (HIPAA, FERPA, GLBA); some are consumer-protection focused (FCRA, FDCPA); others are specific to one agency or department (census, mail); and still others are supposed to control the government but rarely do (wiretap, CALEA, FOIA). At the state level, there are both privacy and breach notification laws in so many variations that it is almost impossible to keep track. There's California's SB1386 and its 45 or so siblings in other states. The new data privacy law in Massachusetts (201 CMR 17.00), going into effect in January 2010, takes a very aggressive stance that will likely attract followers just like California's SB1386. Add the European Union, Canada, Japan and other jurisdictions and you are looking at more than 100 privacy laws that could affect any global company. Even a small company with 100 or so employees in a few states and customers in two or three countries could be facing more than two dozen different privacy laws.
That's exactly why we need a federal privacy law. All of these state and local regulations create an artificial barrier for companies to compete nationally and globally. They make every new out-of-state hire an opening for yet another massive regulatory burden. But in the end, all of these laws are aiming for the same basic goal: the protection of information about people. When there is a patchwork of local laws and a common challenge that affects interstate commerce, the federal government's role is clear and compelling. Harmonization under a single federal privacy law, one with teeth and clear rules, must be a top priority for Congress.