I agree that regulation directing the how would not be effective. What is needed is to make data security a personal priority for CEO’s and Boards of Directors. When they have a personal interest in good data security the necessary resources will be provided to those that can actually do something about it. Maybe 10 minutes in jail for each account/record lost would be incentive enough. As someone else said money is what moves people. So maybe a $1,000 per record fine would work. Until it is cheaper to do business right than to do it wrong, it will be done wrong.

Ray R