Sometimes I think I ought to be entitled to some sort of hazard pay for my work reading the legislation that passes through Rhode Island’s General Assembly. (Naturally, it would be a matter for me to negotiate with my employer, not to try to put into another awful piece of legislation.)
Take S0134, which Governor Raimondo signed into law last Friday. On first read, it looks like an attempt to require government agencies that handle people’s private information to have security programs in place and processes to notify people in the case of a breach, and that’s a good intention. The problem is that, in the operative section, the law refers to “a municipal agency, state agency or person.”
“A person,” in the legislation, includes “any individual, sole proprietorship, partnership, association, corporation, or joint venture, business or legal entity, trust, estate, cooperative or other commercial entity.” And “personal information” includes social security number, driver’s license (or other RI ID card) number, account numbers with their PINs or passwords, medical or health insurance information, or even email addresses with passwords “that would permit access to an individual’s personal, medical, insurance or financial account.”
It’s easy to see the reasonable intention, here, but the language is frighteningly broad. Suppose I… I don’t know… start a small Web site and give contributors email addresses with the URL. Since it’s just a small, cooperative project, I don’t have any written policies or anything like that — we’re just a few folks trying to make a difference in our community.
It’s conceivable that one of the contributors might use the email to set up some sort of financial account, whether intended to be related to the site or not. It’s also conceivable that a hacker might someday crawl some file, somewhere, and get the person’s email info and use it to gain access to the financial account.
Do I need to figure out what “a risk-based information security program” is and implement it? Or maybe it’s worse than that, and the law ultimately will require every Rhode Islander to buy such software for computers with family information.
I could be taking the law too literally. It would probably be necessary for the scenarios that I’ve described to actually occur for some unlucky people, and however the legalities played out for them, the law would very possibly be changed to be more specific.
Be that as it may, as the government grants itself more and more authority to regulate every personal interaction in our society, one can see how it becomes more and more difficult to do anything without a team of lawyers. The impulse to make the world a safely padded playroom may be admirable, but it simultaneously turns us all into children who can’t be expected to address the concept of “risk” by ourselves and makes it impossible for us to innovate and thrive in a way that moves society forward and reduces income disparities.