Legislation in the “Know Not What They Do” Category


Sometimes I think I ought to be entitled to some sort of hazard pay for my work reading the legislation that passes through Rhode Island’s General Assembly.  (Naturally, it would be a matter for me to negotiate with my employer, not to try to put into another awful piece of legislation.)

Take S0134, which Governor Raimondo signed into law last Friday.  On first read, it looks like an attempt to require government agencies that handle people’s private information to have security programs in place and processes to notify people in the case of a breach, and that’s a good intention.  The problem is that, in the operative section, the law refers to “a municipal agency, state agency or person.”

“A person,” in the legislation, includes “any individual, sole proprietorship, partnership, association, corporation, or joint venture, business or legal entity, trust, estate, cooperative or other commercial entity.”  And “personal information” includes social security number, driver’s license (or other RI ID card) number, account numbers with their PINs or passwords, medical or health insurance information, or even email addresses with passwords “that would permit access to an individual’s personal, medical, insurance or financial account.”

It’s easy to see the reasonable intention, here, but the language is frighteningly broad.  Suppose I… I don’t know… start a small Web site and give contributors email addresses with the URL.  Since it’s just a small, cooperative project, I don’t have any written policies or anything like that — we’re just a few folks trying to make a difference in our community.

It’s conceivable that one of the contributors might use the email to set up some sort of financial account, whether intended to be related to the site or not.  It’s also conceivable that a hacker might someday crawl some file, somewhere, and get the person’s email info and use it to gain access to the financial account.

Do I need to figure out what “a risk-based information security program” is and implement it?  Or maybe it’s worse than that, and the law ultimately will require every Rhode Islander to buy such software for computers with family information.

I could be taking the law too literally.  It would probably be necessary for the scenarios that I’ve described to actually occur for some unlucky people, and however the legalities played out for them, the law would very possibly be changed to be more specific.

Be that as it may, as the government grants itself more and more authority to regulate every personal interaction in our society, one can see how it becomes more and more difficult to do anything without a team of lawyers.  The impulse to make the world a safely padded playroom may be admirable, but it simultaneously turns us all into children who can’t be expected to address the concept of “risk” by ourselves and makes it impossible for us to innovate and thrive in a way that moves society forward and reduces income disparities.

  • Warrington Faust

    I could be taking the law too literally.

    One never knows. I am reminded of a news story from the days when “skinheads” (that term describes half the cops you see now) were the leading threat to American liberty. Cops were pulling over guys with shaved heads “on suspicion”. In any case, one of them set himself up with a 10 watt radio transmitter in his basement (range should be about a mile, or less). He did not originate it, but he styled himself “Commendante Zero”. I understand he was broadcasting what would now be known as “hate speech” to his neighbors. (this was somewhere in Michigan) The FBI assembled a swat team, attacked his house, destroyed his radio and arrested him.This was in the “print” days, I lost the story after that. You never know what the government will do when it gets a mad on. Couldn’t someone have called the local police to “investigate”? Of course, being radio, under the FCC, it was a federal offense. Someday, I will entertain this forum by explaining how the government stole radio from Mr. Marconi by inventing the “air wave”. If “a risk-based information security program” is giving you trouble for a definition, look up “air wave” in the dictionary. Mine says “Not used in scientific discourse”.

  • Transparancy

    Speaking of “your employer”, Justin. Why won’t you share with the public who your employer is?