Legislation & Regulation

After decades of helping businesses of all sizes, “IT Consulting” has matured to the point where we are recognized as an industry. We play a vital role in responding to emergencies – from ransomware to floods, fires, and global pandemics. As an industry, we have some common goals and challenges. Sometimes, what we need as an industry bumps up against the needs of others in society. 

Whether it’s cybersecurity, reporting requirements, or right to repair, our voice needs to be heard. We need to take a seat at the table and participate wherever our industry is being discussed.

 

Table of Contents

Our Primary Goals

We have two types of goals related to legislation and regulation. Some are internal and some are public-facing. If you have ideas or skills to support reaching these goals, please consider volunteering.

Primary Internal Goals

Become the Voice of the Industry

Our vision is to become the voice of the industry, defining the standards for professionalism in IT Services. 

That means we need to help our members become educated about the activities that affect us, including government activities at all levels. 

We will help members to participate in the discussion of our industry, and to advocate on behalf of the industry. 

These are not the “skills” technical people normally bring to the job. But they are the skills needed to move the industry forward. 

We need to prepare our members to take a seat at the table where our industry is being discussed.

Primary Public Goals

Educate Critical Parties on the Role of the IT Industry

In addition to educating ourselves, we will strive to inform legislators, regulators, the media, and businesses everywhere about the important role IT Service Providers play. 

When these groups talk about us, we need to be in the room, and we need to make sure they understand that we do much more than repair their systems: 
We are charged with 

  • maintaining systems, 
  • protecting systems, and 
  • designing systems 

that help businesses and government agencies to be more successful at what they do. We need to have a seat at the table whenever and wherever our industry is discussed.

Background

Legislative Agendas and the NSITSP

Our industry is literally under attack. Of course the purveyors of ransomware, phishing attacks, and other “malware” are after us and after our clients. But we have many other concerns as well. Whether we like it or not, many small businesses do not like or trust the IT consulting industry as a whole. And we can’t blame them.

Various government agencies have set their sites on managed service providers and IT Service Providers generally. The most prominent of these is CISA (see https://www.cisa.gov/), which recently issued a report warning businesses what to watch out for when they hire IT consultants. Unfortunately there are many IT companies that sell “managed services” but do not perform the preventive maintenance required by the contracts they sell. That makes us all look bad.

The first piece of legislation on this front was passed in Louisiana to address state agencies and local governments. As the legislature sees it, managed service providers were selling state and local governments “security” that did not include the ability to recover from a ransomware attack and be back in business in short order. Right or wrong, the state answered with the primary tool they have at their disposal: legislation.

The U.S. Federal government hasn’t come after us yet, but they have lots of legislation that affects us. Whether it’s HIPAA, privacy laws, or required reporting for cybersecurity incidence, legislation is well on its way. At the local level, legislators are even more active. Every state now has one or more committees whose jurisdiction is cybersecurity in small and medium businesses.

State Legislation

In 2022, all but five US states introduced laws to regulate our industry. Over 250 bills were introduced.

This is how things work. Most of these laws did not pass in 2022, but they’ll be back next year. And, more importantly, they’ll be a little better written. They’ll be more fine-tuned. The legislators and their staffs will have communicated across the states and with each other. Consensus will be building.

We need to monitor this activity and respond, when appropriate.

Additional Concerns

Outside the government, we have additional concerns. The insurance industry is well funded and has a long history of looking after their interests with both state and federal governments. They have been hard hit by ransomware and are now beginning the process of asking legislators to respond to this changing market.

We need to make friends with the insurance industry and find where we can cooperate on common interests.

On top of all that, there are many topics of interest to our community besides cybersecurity. As both technicians and small businesses, our interests include (but are not limited to):

  • Right to Repair
  • Insurance rates
  • Cybersecurity (response requirements, reporting requirements, etc.)
  • Taxes
  • Regulation
  • Privacy laws (again, requirements include reporting in a timely manner)

Our World is Complex

In many cases, the “common sense” first response to many issues does not address the complicated world of technical consulting. Sometimes, the government’s response is inappropriate or disregards the basic needs of the client. For example, consider a ransomware attack. Often, our first reaction is to jump in and fix things. But, forensically, that’s often the worst thing you can do. If a state law requires a specific response time, or requires that the entire system be up in a short time window, what can you do? On top of that, the FBI says not to pay the ransom or you could be prosecuted for supporting terrorists! The client needs to get back in business, and the IT service provider is caught in the middle.

There are no simple answers to these questions. But one truth is clear: We need to be involved in the conversations that create these rules, regulations, and laws.

It’s great that we have an association dedicated to increasing professionalism in our industry. It’s great that we have hundreds of members dedicated to improving ourselves as individuals, companies, and as an industry. But sometimes that self-awareness and improvement requires that we engage as an industry with the larger community we operate in. We need a seat at the table!

Some people have looked at the sample proposed legislation that was originally written in 2021 as a way to jar people into paying attention and respond with a simple call for “No Legislation.” That answer would be fine if we existed in a bubble, safe from the hundreds of legislative bodies and thousands of regulators across the country. But those days are gone.

The truth is that our industry has matured to the point where we are recognized as an industry. We are recognized by clients and prospects as independent IT consultants. We are known to state agencies and regulators. We are known to CISA, the FBI, The FTC, and many other federal agencies. It’s time for us to have our say. It’s time to join the conversation. And, like it or not, that sometimes means that there will be legislation.

Whether it’s cybersecurity, reporting requirements, or right to repair, our voice needs to be heard. Join us – and help us pull our seat up to the table so we can join the conversation as a mature, professional industry that deserves to be heard.