Steve, I have always liked your editorials, but I think you hit this one out of the ballpark. I agree with every point you made.

The amount of resources you expend on security should be based on the value of the data. This is a business decision, not one that you can specify in legislation. The business concept is due diligence. All entities should exercise due diligence in protecting their data and systems. If they do not, they should be hammered into the ground. My preference is for this punishment to be provided by clients and shareholders. Any government regulation in this area should go toward strengthening the punishment for failure of diligence. Legislation that specifies the bits and bytes of security is the wrong way to go.