It is only Wednesday, and already I’ve reviewed at least 3 different policies that require employees to obey applicable laws. This is not just self-evident—its a professional cop-out.
Somebody doesn’t need to spend years at a prestigious law school and then suffer through an 80-hour a week apprenticeship at a major law firm to provide you with the advice that the law requires…obeying the law. I would hazard a bet that virtually every one of your employees already know this. Reminding them of this self-evident and universal requirement may provide the enterprise with some CYA, in the outside chance that one of your employees breaks the law on your time, but it has virtually no positive effect on what individuals actually do on a day to day basis. (“Doh! I suddenly remembered not to break the law!”)
When a lawyer provides you with verbiage that says “You must obey all applicable laws,” it either means that they are lazy, or they are ignorant, neither of which is considered desirable for high-paid corporate counselors. Any time a lawyer (or an auditor, or an information security specialists) provides you with either an open-ended category of risk, or an awkwardly long list of possible risks, take it as a sign that their priority is self-protection, and they really do not care to help you do your job. If anything bad happens, then they can say that they warned you, and it is your fault, not theirs.
A policy element that says “you must obey all applicable laws,” is useless, unless some legal expert has the courage to provide a list of what those laws are, and what needs to be done to follow them. Instead of demanding that the business units obey all laws, how about a policy requiring corporate legal to provide a list of all relevant regulations, in priority order?
The brutal fact of the matter is that nobody knows what laws potentially apply to the corporate use of information. The legal field can easily come up with a list of laws that have applied in the past, and it can provide some degree of speculation on where regulatory actions are likely to take place in the future. However, in our increasingly ambiguous and complex world, legal surprises are going to happen. That’s a cost of doing business. If ambiguity exists, it should be identified as such, it should be the subject of a business decision, and if the decision is made to accept the risk, then the situation should be monitored—that’s a perfectly reasonable approach. What is unreasonable is to expect business managers or end users to be legal experts, dumping responsibility in their laps for obscure regulatory risks that the the legal profession refuses to take a stand on.