The problem with government mandated security

I was reading this CW article and it occurred to me that the US Government is doing it again.  It's forcing US companies into meeting some mandate that is supposed to protect US citizens.  The Gramm-Leach-Bliley Act of 1999 is a good example of legislation that has forced technological advance upon businesses, as is the whole Sarbanes-Oxley legislation.

Don't misunderstand, I think that there needs to be some type of control in place to help ensure that companies are doing what they should be doing.  The problem is, many times the legislation that's meant to be a guideline is less that and more a hurdle that has to be overcome.  And the thing about hurdles is that some companies will spend far more money figuring out how to get around them than in trying to go over them.

So, this new data security bill is supposed to "require all financial institutions, retailers and government agencies to maintain strong internal safety protections for the data they hold." Many organizations are already trying to do that.  For those that are not, or are not doing it well, this bill puts additonal pressure on them to put the right security technologies in place.  However, if a company can't afford or does have the technical people to support these technologies, then they will try to find a way around the legislation.  I'll bet they find it, too.

Legislation is good in theory.  In implementation, sometimes it's not.  But then, that's the case with most any kind of guidelines or rules.  And we certainly can't do away with them because there are a few companies that will exploit them to the ends of the Earth.  That said, I don't think there's any easy answer.  It's one of those challenges that companies just have to face.