Legislation of e-commerce is becoming more interesting by the day. Recently I wrote about the sales tax issue and Amazon. The first article pointed out the fact that Law Dictates Behavior and there may be unintended consequences, then there was the issue of North Carolina wanting your sales tax. Now another very interesting topic of how Massachusetts passed a law effecting how personal information is saved in databases. Here is a well written article with more detail entitled A New Law Could Change the Way You Build Database Applications by Brian Moran. Yet another well intentioned legislature may have taken a shot in the dark but definitely hit something.
On the Massachusetts site you can find a list of sources for FAQs and more regarding this law and other Identity theft issues found here. What is most interesting to me is not the fact that they are trying to deter identity theft, that is excellent as the intentions are good, but it often seems that legislation may be rushed and in a area that should be self regulating by market forces.
The law is related to how the PII (Personally Identifiable Information) of Massachusetts residents is to be stored and accessed (Massachusetts data security law, 201 CMR 17.00). Not only to be safe from those gaining access to the data online but also from those that work for the company storing the data and their access. Note that the fine is $5,000 is per record – in other words per individual.
Legislation often has unintended consequences. Clearly those businesses within the borders of Massachusetts need to be sure they comply with the law. However potentially they are only at risk of being fined for the breach of Massachusetts residents information as opposed to other states.
Regardless, what about businesses in other states that have customers from Massachusetts? The Massachusetts government answers that question with a simple “that’s easy, all other businesses in the other states will protect the data, as we dictated, of Massachusetts residents therefore we have effectively protected our residents while conducting business or purchases in other states” (disclaimer: I made that up, no one said that, I’m just guessing – however I am a pretty good guesser), then they pat themselves on the back.
But let’s not forget what happened when states decided to request sales tax from Amazon when affiliates resided in that state and were the catalyst for the sale – quite simply Amazon essentially “fired” all the affiliates in that state. Clearly the major affiliate marketing effect was not intended by the legislature when they enacted the law.
In this case we can all foresee businesses looking at their customer base and deciding what to do. Is it worth attempting to comply with this law regarding out of state residents if you are a business that is not within Massachusetts or would it just be easier to not sell to residents of Massachusetts? The answer may be “don’t sell to residents of Massachusetts”, of course if they are a significant amount of revenue you may want to comply. The other issue is the business could say to themselves “we are not going to comply, come and get us”. Either way, why is the government involved in the first place? Can’t the market decide? Is it not in the best interest of the business to keep all it’s consumer data safe regardless of where they reside?
Let the Market Decide
After reading the Massachusetts FAQ and Compliance checklist it is clear that they (the government) have the same goal as the business – to protect customers information. Here is the difference, if the business loses information or has a breach the government has already decided on the penalty which is a fixed fee per record or individual. However the customers of the company will voice their frustration with their wallet and decide to leave if the infraction was considered to be worthy of losing their business regardless of any law. With a predetermined government fine a business will do a cost benefit analysis right now. However the business cannot determine how consumers will react and whether they will lose business. It is quite possible the business will over-protect in the latter case. Either way, the business will have potential negative consequences in their revenue if consumers deem the infraction to be worthy of walking away.
In my opinion you let the consumers decide on what a business needs to focus it’s time and attention on. A business has limited funds and limited resources, why is the government telling them how to spend their time and money?