When the Massachusetts Senate took action this week to modify the state data privacy act (Standards for the Protection of Personal Information of Residents of the Commonwealth), I didn’t jump for joy the way some people did.
Yes, the original legislation set such a high benchmark that it would place an enormous burden on businesses to comply: encrypting all personally identifiable information, designating one person to oversee a company’s privacy program (a big burden for smaller businesses where there’s not even one person dedicated to security). So I understand the hue and cry about legislators not getting the implications of what they are putting in place because they don’t understand the technology, or IT, or the economics of risk management for the business world. That is all true.
But what is also true is that data protection is changing, and needs to change, in the U.S. Even as the Massachusetts law would defer to federal law in many places, the fact is we don’t yet have a tough federal law on the order of what is commonplace in some other parts of the world. Americans, as capitalists, often roll their eyes at many European conventions (think: six-week vacations, nationalized health care, controls on greenhouse gas emissions) but in fact the U.S. could end up emulating some EU practices because they work. Privacy and data protection should be no different.
As a resident of Massachusetts, I’m disappointed that my state might not end up with the toughest data protection law in the nation. But I hope the feds will soon pick up the ball and take care of that for us. Unlike legislation like SOX, where the sins of the few brought the burden to the many, a federal data protection act would be one for all of us. With nothing less than the integrity of our identities at stake, creating such electronic border controls should involve federal funding just as any aspect of national security does. And on the global stage in the electronic age, this is indeed a national security issue.
Yes, many states have data protection laws on the books now. But that doesn’t satisfy the Europeans, who view our data protection as weak without a federal law. Now’s the time for the feds to step in and give us a united stand.