Security Regulations: Chaos in a Three-Ring Binder

Longtime CSO Bob Hayes has documented the reams of regulatory red tape growing in the shadows of 9/11. Is security soon to become a highly regulated activity?

Like most people, Hayes had never paid much attention to those kinds of orders. But one day, a few weeks after 9/11, while he was still with Georgia-Pacific, he got a call from one of his colleagues in the International Security Management Association (ISMA) who wanted to know what Hayes was doing about Executive Order 13224.

"I said, 'What's that?'" Hayes recalls. "And he said, 'It's about not doing business with terrorists. We have lots of government contracts and thousands and thousands of customers. How are you going to check your list?'"

At the time, Hayes had no idea what "list" his peer was talking about. Now, he thumbs through the binder looking for the right group of documents. "This is the first one that came out," he finally says, showing me a list of names of suspected terrorists. Osama bin Laden is number 12 or so. "It started as a list of 75 people at www.treasury.gov. These were groups [the government was] finding links to very early on."

Hayes started looking for the names and organizations on the list in various databases at Georgia-Pacific, both to comply with the order and to ascertain, for security reasons, that no one identified as a terrorist was working at Georgia-Pacific's more than 600 locations. Hayes made sure the government's list got checked against payroll. And against the visitor logs. And against the files for Georgia-Pacific's temporary agency, for its vendors, for its contractors, for everyone.

Then the list changed.

"Every day the list would just be bigger," he remembers. Eventually, it grew to thousands of names. "It would come out with a new date on the bottom, but you'd have no idea who they'd added to it." That meant that every name on the listnot just the new oneshad to be checked. (The government has since streamlined the process of adding names to the ever-growing list.)

And Executive Order 13224 was only the beginning.

President Bush fired off more orders in rapid succession: Executive Order 13231 on critical infrastructure protection. Executive Order 13234 creating a presidential task force on citizen preparedness. Presidential Directive 2 on combating terrorism through immigration policies.

All of them, in one way or another, involve security. Some laid the groundwork for more far-reaching rules. In May, for instance, the U.S. Treasury Department finalized the Patriot Act regulations that, among other things, require financial institutions to make sure that new customers don't appear on the suspected terrorist watch list. What became of some of the other provisions is, well, anyone's guess.