As U.S. industry waits to see how President Barack Obama's call for a new digital security law translates into actual legislation, it may be useful to look to other regulatory regimes to set reasonable expectations for establishing national standards for privacy and data protection. The logical inclination would be to look at existing, related regulations like the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley. But as technologies such as cloud computing, mobile and the Internet of Things disrupt the landscape, there may be a better exemplar: environmental law.

A year ago George Washington University Law School graduate and IAPP Westin Fellow Dennis Holmes offered a similar suggestion, based on the work of Prof. Dennis Hirsch, when he wrote for Privacy Perspectives that the 1990 Oil Pollution Act, which provides remedies for all stakeholders affected by oil spills, might show the way for crafting data breach legislation.

Legislative efforts to address air pollution began in the mid-20^th century with California’s landmark air quality law. What began with the Golden State’s oil boom in the late 1800s when Los Angeles boasted a population of barely more than 100,000 grew through to the 1940s when the West Coast had become a magnet for entertainment, shipping and industry and the city’s population mushroomed to more than 1.5 million.

As a result of the influx of people, automobiles and other trappings of modernity in 1943 saw the first reports of smog in Los Angeles. The problem got so bad that in 1947 that Gov. Earl Warren signed the Air Pollution Control Act, thus beginning the age of environmental law—and the first regulation written to protect the public from hazardous clouds!

Just as the Air Pollution Control Act and subsequent regulations responded to an existing problem rather than attempt to remedy situations that did not yet exist, data security and privacy laws should evolve the same way.

Passing a law didn’t eliminate the problem of smog. Indeed, the situation became a lot worse, but it started a process that enabled continued improvement as we learned more about smog’s causes and remedies. Those lawyers and legislators working on data and privacy protection can learn from the experience. We can’t try to stop the march of progress, nor can we turn back its clock.

Few will argue that air quality standards and environmental regulations are a bad thing; likewise, there should be laws in place that create incentives for implementing strong data security practices. And as with the Air Pollution Control Act in 1947, California led the way on privacy law with the passage of its data breach notification law, SB1386, in 2002. More state and federal laws have followed, including HIPAA/HITECH, Gramm-Leach-Bliley, Sarbanes-Oxley, Massachusetts 201 CMR 17 and others.

Just as the Air Pollution Control Act and subsequent regulations responded to an existing problem rather than attempting to remedy situations that did not yet exist, data security and privacy laws should evolve the same way. Acknowledge that there are risks, but do not discourage innovation by trying to prevent the unknown. To the contrary, give innovators room to develop new approaches and solutions.

To outsiders looking in, the need to keep up with progress is self-evident, but doing so in the context of our current regulatory compliance environment puts those who follow the rules at a clear disadvantage.

After all, we know that an overemphasis on regulation can have the undesirable effect of directing resources inefficiently—to appease auditors rather than address problems that need solving. In fact, the nature of the third-party audit trade itself would seem to reward a pursuit of repeat business rather than effective compliance.

For example, California’s Air Pollution Control Act actually made it more difficult for Californians to buy low-emission diesel cars because they didn’t exist when the law was written. According to the law, there was no difference between older diesel engines and clean diesel technology, which was introduced in 2007. It took five years for California to catch up when, in 2012, it passed the LEV (low-emission vehicle) III regulations.

We see the results of this conflict in CIOs who are paradoxically tasked with being both compliant (checking boxes) and innovative (thinking outside boxes).

Cloud adoption is a good example of this double standard as businesses demand software-as-a-service tools like Salesforce, Marketo and Successfactors, but compliance teams and auditors raise red flags over lack of data governance and unclear privacy accountability. To outsiders looking in, the need to keep up with progress is self-evident, but doing so in the context of our current regulatory compliance environment puts those who follow the rules at a clear disadvantage.

CIOs, CPOs and CISOs must constantly examine the impact of regulation and be active participants in the process. Unlike California, enterprise IT can’t afford to wait a decade for compliance to catch up to the needs of their business.

photo credit: Smoke stacks (LOC) via photopin (license)