How about neither?
Chris Soghoian has an interesting post at his Surveill@nce St@te blog on C|Net decrying the “evisceration” of a data-breach bill in the Indiana legislature. He’s a big advocate of the bill and evidently spent a lot of time working for its passage.
“In a committee meeting Tuesday morning,” he reports, “Republican committee members successfully eviscerated the bill, reducing it to a mere 17 lines of text from the original 72. The Web site report provision and the requirement that companies notify the state attorney general whenever a data breach is discovered were stripped.” Etc.
I’m somewhat bemused to sense the excitement a young person has getting his first experience with the legislative process, then being disappointed with the results. I’m less amused – annoyed, frankly – that someone would use the length of a bill as a proxy for its quality. By that measure, the Consolidated Appropriations Act must be a real gem.
But it’s downright troubling to see a smart young man so thoroughly fallen victim to the fatal conceit. Top-down planning is no better in data security than it is in distributing bananas, but Soghoian is pretty sure he’s figured out how data security should be done across the economy (at least the economy of Indiana). I’m not sympathetic when his plans to have the legislature in his state carry out his will are quashed by others similarly situated.
Better than the regulatory contraption Soghoian desires is the use of simple common law rules, letting liability bring distributed knowledge about data breaches and data security together to construct the practices that best serve the public. There’s more to law than legislation, and people need to learn that.