From the earliest days of the Internet in the mid-1990’s, the technology industry and its advocates have fought aggressively against government regulation.
It is ironic, given that the Internet itself is directly a product of a government program, the Defense Advanced Research Projects Agency (DARPA).
But we’re entering a new era of technology regulation. With news about social media manipulation by foreign governments, concerns about data gathering and collection, the growing importance and impact of technology in daily life, this isn’t surprising.
What is surprising is that this time, the technology industry and its advocates have softened their opposition to regulation. Microsoft President Brad Smith, in his book “Tools and Weapons” talks openly about the need for regulation. Bill Gates, in his introduction to the same book also talks about the need for regulation. And recently, Cisco’s CEO Chuck Robbins says that the technology industry needs to be regulated.
Policymakers are calling for regulation and the technology industry itself is expressing openness to it.
That agreement is good, but that’s as far as agreement goes. As the panelists at this year’s Geekwire Summit noted, there’s a real question not only of the way the industry should be regulated but how it’s even feasible. “I don’t think it should ever be about how to stop technology and innovation,” said U.S. Rep. Pramila Jayapal during the event.
While regulation isn’t coming fast, it clearly is coming. And regulation is something that can be particularly hard on startups because of the inherent overhead and drag on business.
It’s always risky to make predictions about regulation. However, security and privacy are the most likely targets for regulation because they are areas that touch on universal concerns and can be easy wins for regulators.
I believe four areas of security and privacy that I feel will be likely candidates for early stages of regulation.
For startups in particular, these are areas where taking steps today will have benefit your business as it grows. And being prepared for these in advance can save you a scramble down the road. Think of it as starting to turn the wheels early to make a turn more safely and successfully.
Below, I outline these four areas, explaining why these are likely candidates for early regulation, and why it makes sense for all companies — but especially startups — to put into practice now.
- Requirements for security updating for systems and devices
- Internet device “inspection” standards for access
- Privacy Regulation governing access to information, and the right to delete information
- Data Breach Notification Regulation
1. Requirements for security updating for systems and devices
The industry has known about the importance of regular updates literally for decades. From the worm outbreaks in the 2000s, we saw that the biggest challenge is getting people to apply updates.
Unfortunately, in the rush to mobile devices and the Internet of Things (IoT), those lessons were forgotten or ignored.
You need only look at the Mirai botnet to see an example of what happens when mobile and IoT devices aren’t updated. And a key thing we’ve seen is that many IoT devices in particular can’t be updated: they were built and released with no thought around updates.
This is what makes requirements for security updating an obvious candidate for regulation. No one thinks greater security is a bad thing, and this is a proven problem area.
Requirements in this area will likely be very simple: you need to be able to update the software and device. For businesses that make apps released through app stores, this is something you almost certainly are already doing. For businesses making devices, this can be harder (which is why some companies don’t do it). However, updating is not only good for your customers’ security, it also enables you to deliver ongoing value to customers and provide a reason to maintain contact.
As a bonus, maintaining contact can also help foster additional sales in the future. IoT devices can be commodity items, and customers forget the makers of their commodity items. Having an update mechanism can help address that by giving you and your customers reasons for an ongoing relationship.
2. Internet device “inspection” standards for access
This idea is easy and simple in principle. The government has established the authority to regulate the health of vehicles on the highway: it’s not hard to imagine expanding that to devices on the information superhighway.
This comes up nearly every time a major incident involving systems and devices poses a threat to the broader Internet. Whether it’s unpatched systems infected with Conficker, or devices forming IoT botnets like Mirai, the fact is that others’ bad “hygiene” can have an impact, sometimes major.
Also, this is something that would be relatively easy to implement given the nature of Internet access. No one connects “directly” into the Internet; they connect to a provider that connects to other upstream providers.
For businesses thinking ahead of this possibility, the steps to take are relatively simple and closely related to the first point: provide a means for updating apps and devices, and making it simple and easy for customers to see that they’re updated. Here again, this is an opportunity to make the relationship between your business and customers more of an ongoing one. This builds trust over time, and trust builds brand loyalty.
3. Privacy regulation governing access to information, and the right to delete information
This regulatory approach has already come to pass in Europe with the General Data Protection Regulation (GDPR), and will come into place in California next month with the California Consumer Privacy Act (CCPA). Based on those regulations alone, this approach is almost guaranteed to be put in place more widely.
If your company does business with (or has customers in) Europe and/or California, you’re already subject to it, or soon will be.
Even if this kind of regulation doesn’t impact you yet, it’s clear that this one is coming, fast.
As I noted in my article on CCPA, preparing for this kind of regulation can actually benefit businesses. Brad Smith said preparing for GDPR helped Microsoft’s business, and that lesson applies broadly.
Quite simply, the days of gathering data and locking it away are gone. And by preparing for this kind of regulation, you can provide your customers with something they’ve long wanted and are going to increasingly expect: the ability to see their data and delete it. On the basis of that alone, being responsive to this regulatory push early will place your startup or business on a good, proactive customer-service footing.
4. Data breach notification regulation
This is another regulation that we already see in both GDPR and CCPA. As noted above, this makes this a regulation that you can almost bet on. All the more so since slow response to large public data breaches fuels a regular cycle of outrage that makes this even more attractive as a regulation than data access.
All businesses that are custodians of data should already be in a position to respond if and when the bad thing happens. But the reality is, few are. Data breaches really are two events: the breach itself and the response to the breach. In a breach, the first event is almost always one that’s already happened, and so it’s one that businesses can’t control. It’s the response that is the “make or break” event for businesses.
For startups, the stakes couldn’t be higher. A data breach and a botched response can literally kill a company.
Indications from current regulation are that a fast notification is required and this is almost certain to not change.This means, in looking ahead for future regulation, you should expect the same thing and prepare accordingly.
Outside of the current and likely future direction of regulation, I can attest that speed of response, especially around communication, is the single most important factor in how the total situation ultimately plays out.
If you don’t have a data breach response plan already, now is the time to start building it. Especially since. If/when you need it, you can’t build it.
It says a lot about the world of technology today that the latest discussions around regulation are being met with acceptance rather than hostility by the industry itself. This means that as sure as winter in Game of Thrones, regulation is coming.
For startups in particular, it’s easy to follow the old path of hostility to regulation. But this time, it won’t work: it’s already happening.
By accepting the inevitability of regulation and working towards smarter, more reasonable regulation, startups and the technology industry can be a partner to shape better outcomes.
Security and privacy are areas where good, sensible regulation can and likely will happen first. And the most obvious areas for good regulation are ones where companies can take steps today to be ready and, in so doing, help shape that regulation wisely. Most importantly, these areas that I’ve outlined are all areas that have clear benefit for startups today.
Instead of looking at regulation as a hindrance, startups can look at it as a floor that governs everyone, and use that as a way to pull past and shine in contrast to their competitors.