Declan McCullagh, Chief Political Correspondent for CNET News.com, asks whether a "tech-impaired" Congress can be trusted with the task of authoring satisfactory data protection legislation. He answers the question with a resounding "NO."
Although I don't agree with Declan on the issue of Congressional competency (after all, its the trade groups staff that does the actual,heavy lifting of legislative drafting), it's hard for any objective observer to deny the possibility that Congress could wreak havoc in an area where the technology changes rapidly. So, he may have a point.
Then, however, he takes a step too far. He contends that the states should be left free to "experiment" with different approaches to data security legislation, with the "best ones" being mirrored elsewhere. I think that's problematic. Why would state legislators be any more "tech-savvy" than U.S. Representatives and Senators? My experience with state legislators is that there is more likelihood of the "bozo factor" being in play at the sate level than at the federal level. States are just as likely to experiment unwisely as is the U.S. Congress, perhaps more so.
Moreover, why would one state that's already enacted legislation be inclined to think that another state's approach is "better"? Texans don't like "Damn Yankees" telling them how to run their business, and certainly don't "cotton much" to taking a cue from the "fruits and nuts" that grow in California. Do you think Massachusetts is going to take a cue from the Lone Star State? Perhaps, but is it more likely or less likely?
If the argument is that technology changes rapidly and the law needs to change with it, why doesn't that argue for a single federal standard, rather than 50 state standards? It does.
From the standpoint of banks that operate in more than one state, I find Declan's recognition of the problem that "it's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with," to be encouraging; however, his "solution" is less so. He alleges that "companies can vote with their feet and choose to set up new data centers or offices in a neighboring state instead."
Actually, that's not going to solve the problem. Some state laws on the issue apply not merely to companies that are located in the state, but also to companies that maintain personal information on residents of the state. You simply can't do any business with the state's residents if you wish to avoid an onerous state law, and that's not going to be practicable for many multi-state banking organizations. If we were dealing with only one state, as in the analogy of Mississippi and tort reform that Declan uses, he might have a point. However, we already have 23 state laws whose requirements are, in many cases, inconsistent. To where, exactly, does one flee until this all sorts itself out?
No, it's better to fix a single national standard, if a national standard is required. Currently, banks already have a single national standard. They don't need that one and 50 more. What they need is (1) federal legislation no more onerous than current standards imposed by banking regulators and (2) federal preemption of state laws.
Comments