Recent months have seen a series of widely publicized personal data thefts from companies that ought to have known better – and, in parallel, a series of US legislative proposals for bills that would have the characteristics of both California’s SB1386 and the Sarbanes Oxley Act. Of course, those organizations who lost data – and those who, but for the grace of [insert], go there – don’t think that more legislation of this sort is called for.
The choice, though, is quite easy: improve security voluntarily, so that people feel their privacy is properly protected, or be forced to do so – the outcome is not in doubt, just the pain and expense of getting there has still to be determined.
My expectation is that, just as with financial corporate governance, organizations will have to be forced to take proper steps to really protect personal data. A pity, because the total cost of that route is invariably greater than if it is tackled voluntarily.