The first reaction in IT to regulators/auditors is to claim the implementation of a new control. The next audit should therefore require proof that the control is functioning.
Sarbanes-Oxley audits have been known to go something like this:
Auditor -- "How do you detect leaks that could lead to fraud using your information?"
IT -- "We are in process of rolling out a the new Anti-fraud 3000 Enterprise Software that gives automated detection and reporting with stunning accuracy. It is a huge effort and scheduled to be operational about two months from now (after you leave us alone)."
So IT departments are being pressured to assess larger business risks and plan compliant controls for the near term, but it is not yet clear how courts measure accountability.
Does an organization have to prove that detective controls are working (on an ongoing basis) in order to meet regulatory compliance? Who defines adequacy?
The Economist quote from a Stanford Business professor indicates shareholders should play a role: "The ability to guard customer data is the key to market value, which the board is responsible for on behalf of shareholders".
The Economist also notes that the FTC's law suit against BJ's was due to "'unfair practice that violated federal law.' The firm collected too much data, kept it too long, did not encrypt it, lacked password protections and left its wireless network open."
The result seems to be that it will no longer be up to organizations to decide for themselves that their "data practices are good".
To this end, federal as well as state laws (e.g. California's AB1950) will very soon require some variation of industry-based definitions of "reasonable" or "appropriate security measures".
Senator Barbara Boxer's latest testimony (Commerce, Science and Transportation Committee, Full Committee Hearing on Identity Theft, June 16, 2005) includes the typical justification for this kind of proactive approach:
"According to a 2003 FTC study, over a period of 1 year, nearly 10 million Americans were victims of identity theft. Losses to business and financial institutions were nearly $48 billion and consumer victims reported an additional $5 billion in out-of-pocket expenses."
Her Comprehensive Identity Theft Prevention Act (S. 768) proposes an Office of Identity Theft in the FTC with SB1386-like breach notification at the federal-level. And just like SB1386, the really tough questions will come long before a breach is discovered -- what is "reasonable" security (confidentiality AND integrity).