[Editor's note: Kathleen Carroll tracks legislative happenings affecting access control and identification for HID Global. She has agreed to share regular news reports from the legislatures around the county regarding proposed legislation that would affect security end users, dealers, integrators and manufacturers.]
One of the key tenets held by professionals in our industry is that, despite all the talk of "security", we are really in the business of risk management. With that in mind, I have been monitoring the legislation introduced at the state and national levels, which if passed, would put at risk countless security systems that rely on electronic communications to control physical and logical access.
More than 20 states have introduced legislation that would restrict or regulate the use of radio frequency technology, and in some cases, photo-optical, photo-electronic, and electromagnetic technologies. The stated purpose of much of the legislation introduced thus far has been to protect the privacy of citizens. The fear, reinforced by privacy advocates, is that government and private businesses will use personal information gathered for nefarious purposes, such as tracking citizens.
Currently, Washington and California have legislation pending that, if passed, would directly affect the security industry. Here is a synopsis of those bills:
California has four bills pending that would ban or regulate the use of radio frequency technology:
- Senate Bill (SB) 31 makes it a crime to remotely read identification documents using radio waves without the knowledge or consent of the holder of the document.
- SB 28 bans the use of radio frequency technology in driver's licenses or identification cards issued by the California Department of Motor Vehicles.
- SB 29 prohibits a public school, school district and the county office of education from issuing any device that uses radio frequency technology to students.
- SB 30, the Identity Information Protection Act of 2007, incorporates numerous provisions that could prove onerous for users of radio frequency technology in California including specific language that mandates the use of encryption and mutual authentication if personal information is transmitted (a unique personal identifier number is considered personal information in the definitions section of SB 30).
House Bill (HB) 1031 currently introduced in the state of Washington:
- Requires employers to obtain written consent from each employee so that they could use any security system using electronic communication devices;
- Gives employees the right to decline to use the system at any time unless a formal written contract is in place;
- Affects all electronic communication devices that use radio frequency, electromagnetic, photo-electronic, or photo-optical technologies to communicate personal information;
- Defines personal information to include unique identification numbers (a commonality among most of the bills introduced nationwide thus far);
- Requires that each and every access control card issued be clearly labeled to indicate that the card uses any of the aforementioned technologies.
To date, bills introduced in Alabama, Illinois, Maryland, Massachusetts, Missouri, Rhode Island, South Dakota, and Utah have either died in committee or been defeated. New Hampshire and New York passed bills that created commissions to study the use of radio frequency technology. Those commissions are supposed to report on their findings in 2007. In California, the Identity Information Protection Act of 2006 passed the legislature but was vetoed by Governor Schwarzenegger. That same bill (SB30) has been reintroduced as described above. Likewise, House Bill 1031 is the second attempt in the state of Washington to regulate the use of electronic communication devices.
If information is the currency of democracy as Thomas Jefferson said, the security industry should use the currency provided here to mitigate the risks we are all facing from well-intentioned but ultimately harmful legislation.