Gary Varga (4/10/2014)
Just define legal requirements to be best endeavours. I think that most sectors where it counts there are further standards, for example in the UK we have the Data Protection Act (personal data), PCI (financial transaction aka payments) and we all seem to follow Sarbanes-Oxley. By legislating only the demand for best endeavours then we rely on the courts to apply it reasonably e.g. if I have a Solitaire scoreboard score that isn't encrypted then I would not expect any liability but medical records, bank account details etc. and I would expect protection by the law for any slackers.The grey area is the dumping grounds of data like DropBox or OneDrive which are just buckets.
I believe that major financial, healthcare, and government organizations stay on top of data security. Where it's still the wild west are data aggregators, small online retailers, and fly-by-night startups. Not only do I not trust their technical expertise, but many of them have a business model where they swap or sell data dumps with reckless disregard for the privacy. The government and media have their attention focussed on the larger corporations, but there are a lot of small companies collecting big data. God only knows who's running these outfits, what their business model or agenda is, and what best practices (if any) they follow. We need laws that provide blanket coverage of any organization, regardless of size or industry, that aggregates sensitive personal data.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho