The feds have had a recent set of screw-ups with data security, one involving a Department of Veterans Affairs employee who took home, and lost to theft, a database with personal information on 26.5 million people. One conclusion might be that it's a bad idea to let a guy working at the VA take home personal information on 26.5 million people. Another would be that the federal government should tell the private sector how to manage data security. As Wayne Crews and occasional Reason contributor John Berlau report over at NRO, legislation under consideration would impose one-size-fits-all, Sarbanes-Oxley-like data security regulations on every credit-card accepting business in the country:
…The bills go beyond most state rules requiring consumer notification and actually mandate that businesses follow specific practices and procedures for data security. As they have an incredibly broad definition of information brokers, it won't just be data warehouses like ChoicePoint that are subject to these rules, but the independent convenience store and home-based online seller as well.
Many small shops would stop taking credit cards, hindering their ability to grow and compete. Many home-based online businesses would never get off the ground.
Whole thing here.