Analyzing other skills-based industries shows how increasing IT regulations due to its commoditization will dramatically change how IT workers will be qualified to work in IT in the future.
As new laws, legislation and regulations increasing seek to hold individuals accountable, more and more law suites will seek damages from the organizations for which these individuals work.
Time will tell if the private legal system takes Medco to task as they did to the Seattle Cancer Care Alliance, which was required to pay over $90,000 in credit reparation activities for affected members.
However, this is exactly the type of highly-visible harm that spurs legislative response. Lawyers are not ignorant of IT law and are, in fact, assisting in driving the changes that will take place.
Benjamin Butler, counsel with the Washington, D.C. law firm Crowell & Moring LLPs Health Care Group, says he finds the Seattle Cancer Care Alliance case particularly interesting because it shows that prosecutors are eager to remind businesses that HIPAA has teeth.
It appears that this person could have been prosecuted under a number of other statutes, Butler said. But prosecutors chose HIPAA. They wanted to send a message that this authority is out there and people shouldnt forget about it.
The normal response when businesses lose lawsuits is to avoid or mitigate liabilities. Thus, as other trades were forced into the stringent worker qualification processes by government mandates as society became dependent upon them, so too will IT and those businesses that operate their own IT organizations.
Licensing, Bonding and Auditing
The normal pattern of response to risk by business is some form of industry self-regulation, which typically does not have the teeth required by lawmakers. Following the inevitable failure of self-regulation, government legislation will begin mandating worker qualifications.
Following are my predictions on the likely future controls to be placed upon IT workers, executives and companies.
Prediction: IT workers and IT system users will require formal licensure to operate or access systems with access to personally identifiable information or personally identifying information (PII).
PII is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. Of course, this definition of PII makes today's IT workers and even many users of IT systems responsible for their actions and liable.
One aspect of qualification is licensing. If the work has significant public interaction with potentially high standards of accountability, society typically requires a practitioner to obtain a license.
Obtaining a license is more than paying a fee and passing an exam. Normally controlled by the government, a license makes one responsible for the consequences of their actions and thus liable to any penalties incurred due to incompetent, illegal, or immoral actions.
Most licensing agencies have a registry where you can lookup the practitioner and determine if their license is valid and possibly see previous infractions.
Licenses may be taken away for poor performance, as well. Having a license suspended or revoked is foremost to protect the public and then to punish the practitioner.
While there is no formal licensure for information technologies today, imagine a day in the future when federal, state, or local laws contain civil or penal code entries like this:
PURPOSE -- LICENSE REQUIRED. In order to safeguard the public health, safety and welfare, it is in the public interest to regulate and control database administration, to promote the safety and quality IT services, to prohibit unqualified and dishonest persons from practicing system administration and to protect against acts or conduct which may endanger the health, safety and welfare of the public.
(1) License required. It shall be unlawful for any person to practice system administration or offer to practice system administration unless that person is duly licensed pursuant to this act.
The preceding is fictitious but based on real, existing legislative language for other trades (nursing, plumbing, etc.).
Lawmakers have already begun enacting legislation to limit the distribution and accessibility of PII, leading to the question: How far off can IT licensing be and what might such legislation entail? Again, existing crafts predict the future of IT.
Prediction: Human resource operations in the future will be required to provide personal performance and evaluation information on IT workers and systems to public registries.
Registration is the listing of a practitioner, their specialty, credentials and performance records. Most often licensing requires registration. Some states already offer license look-up services that search state databases holding information on professionals, for example, plumbers, who hold a professional license in the state. These are easily extended to include IT workers and those who use IT services on a daily basis.