Today I learned that the Arizona legislature is throwing a party for hackers. Not one with food and drinks, but legislators are opening doors into secure computer networks and inviting irresponsible people to access Arizonans’ confidential data. It’s incomprehensible and it’s happening right before our eyes. And the Governor might sign the bill soon.
I am a global privacy consultant, an attorney, and adjunct law professor. I work with companies to help secure personal data from thieves and swindlers. When I heard about HB 2418, it concerned me tremendously because it puts millions of Arizonans’ data at risk.
HB 2418 is about auto dealers giving third parties, consultants and business associates, free access into otherwise secure computer networks – with no meaningful limitations on what these people can do with our data. That’s frightening as some of these “consultants” have been sued for hacking corporate networks.
These systems manage data provided by manufacturers, banks, warranty companies, millions of Arizona consumers, local governments and many more. Consider how much information you provide to dealers when you buy a car, and how much more data they have on the back-end to run metrics and manage their business. I bet the consultants will enjoy this data playground.
Some auto industry computer systems are very secure and only allow access by licensed auto dealer customers. These companies refuse to connect with independent consultants, and they are rightfully selective about integrating with third-party app developers like Cars.com. Other systems providers are more open. As a car buyer who wants my information to stay private, I hope all dealers work with the only the most secure computer systems. But in reality dealers already have a choice (so I’m not sure why they need this law).
In addition to requiring that all the dealers’ buddies get access to the industry database, HB 2418 would prohibit the computer systems companies from charging a fee and making a profit. Most software-as-a-service companies charge customers per-seat licenses and limit who is allowed to access the system. Why should auto dealers be treated differently; and why should legislators meddle in the free market?
I work with companies to implement and improve many systems, especially cloud services. If a client wants the service to integrate with a particular third party or product, the client asks. If the service provider says no, the answer is no. You don’t run to the legislature and ask them to pass a special law to override a business decision.
In America our government doesn’t force private companies to do business with customers they don’t choose unless the company has a monopoly, is government-funded, or there is an extraordinarily important government interest like fighting a war or ending discrimination. No one should be forced to allow third parties access into their systems unless it is the government itself – and even then, only with a warrant.
That isn’t the case here, so it is likely that this bill violates both the Arizona and U.S. Constitutions.
In a state with major technology and financial industry leaders like Intel, American Express, Charles Schwab, Insight Enterprises, and Motorola, it is perplexing that the legislature would even consider a law to force open enterprise networks and consumer databases. Consider all the data breaches you’ve heard about – most of them are caused by third parties who access a computer system without permission – just like those consultants whom this legislation seems to favor.
HB 2418 promotes and sanctions behavior that is completely contrary to the goals of every Attorney General (regardless of political party), the U.S. Federal Trade Commission, the U.S, Department of Justice, and all international governments except perhaps Iraq, Iran, and Russia. It is utterly ridiculous and appalling.
I am not a professional lobbyist and I’m not being paid to protect Arizona’s consumers. I care deeply about fairness and data protection, and I think technology companies should not be pushed around by government without just cause – or by auto dealers and their friends.
K Royal is a Phoenix-based lawyer, privacy consultant, and adjunct professor of law at the Sandra Day O’Connor College of Law.at Arizona State University.