This month
Texas became the latest state to either introduce its own breach notification
law, or modify its existing one. The Texas House
Bill 300 is an update to the Texas breach law already on its books. The law is
amongst the now 46+ disparate laws on the books that businesses in the U.S.
must navigate and be expected to comply with if they do business in more than one
state, or posses the information of a resident of more than one state. I imagine
that this is the kind of convoluted (and expensive) business environment that
companies in Europe had to deal with before the European Union codified most of
their laws.
A
cursory reading of the Texas law's provisions makes it appear as though companies
now have additional obligations in Texas. For example, the law states that you
must train employees on Personal Health Information within 60 days of hire,
rather than simply on an annual basis. (Damn your existing training regime that
is done annually for administrative ease or convenience!) As well, if your company
thought of yourself as only a business associate in Texas, well guess what?
Voila! Even if you were simply acting as a 'business associate' for a client,
this law now considers you a 'covered entity' under their definition.
Lastly,
the penalties under this law appear to be particularly egregious. The big
difference here versus HITECH is that House Bill 300 can penalize a company
everyday for each day they fail to notify patients of a privacy incident.
This
precarious situation for large and small business alike is the Congress;
failure to act in passing a national law, superseding every state law. When
states get impatient for the Fed to act they take matters into their hands. Many
times, especially in the case of privacy and security law, they do it with the
best intentions. Unfortunately, we often get a morass of confusing and
contradictory pronouncements that are either unbelievable overreaching in scope
or just simply too complex and punitive for a small company to attempt to
comply with. This 'arms race' of states passing their own laws sometimes results
in laws so esoteric and narrow that it may lead a small company to just ignore,
or rationalize that it is easier and cheaper to pay any fines associated with
non-compliance than to try and comply with the law
.
And
then sometimes you get laws that appear (at least to me) to be only knee-jerk
reactions to high profile cultural events like texting while driving. Granted,
this is a dangerous trend and equally dangerous activity that is a negative by-product
of modern technology. It makes sense to not do it in practice, But to pass a
law against prohibiting texting while driving is, to me, pure demagoguery. So,
you can't text while driving, but you can still eat, drink coffee, change the stations
on your radio, program your GPS sing, turn around the slap your kids, put on
make-up, and on and on... or what about the recent phenomenon of companies
asking employees for their Facebook passwords. I am not sure about your company,
but since when did this become such a national epidemic, like SARS, or Swine
Flu? Is this 1950 and employers are asking employees if they are now or have
ever been a member of the Communist Party?
Sure, I believe it happens and it is wrong, but do we need to create and
pass specific
laws against it? Don't our legislators have anything better to worry about?
Yes,
all of these activities generate press and show citizens that their generally do-nothing
members of Congress are actually doing something. (I like to recall of Hemingway's
great line here: "Don't confuse motion with action."). But the
outcome is just another law layered on top of all the other laws that companies,
large and small, must deal with to be in compliance. The real ARMS race of nuclear
arms proliferation ended between the U.S. and Soviet Union ended in the 1970's
with the SALT I and II Talks. Maybe lives aren't at stake here as they were
with ICBM missiles, but maybe we can convince Congress that the situation for privacy
and security law compliance is dire enough to warrant a SALT talk for the
prevent and further proliferation of these one-off, ad-hoc laws and end this
arms race too.
