White House moves on cybersecurity
I hope they learn from Healthcare. The focus on Privacy and the use of the Breach Notification system has had measurable effect. Clear requirements of ‘what’ to do, not ‘how’ to do it; with clear and executed ramifications for failure. It is amazing what a little ‘sunlight’ will do.
Largescale Health Data Breaches Declined in 2012 OCR Data Show
Healthcare used HIPAA and HITECH, two regulations that defined the outcome expected. As well as the OCR 'wall of shame' for breach notifications. These are good examples of regulating to the outcome, not the means. This is a general pattern not specific to healthcare or to security. But applicable to all things that can be regulated.
To be effective and to be long standing a law needs to be independent of technology. This is why I point out that the regulation should be about 'what' needs to be done, or what the good outcome should look like. When it is goal oriented a law/regulation can be met by an ever evolving set of technology and policy. Technology that can adjust with time to incorporate new technology and new policy as needed.