In Massachusetts, legislation has just passed on an “Order Regarding the Secuirty and Confidentialty of Personal Information.” The measures contained within are intended to hold the state’s government bodies accountable for adhering to practices that protect against consumer identity theft.
Especially of interest is Section 4, which calls for the Commonwealth’s CIO to oversee the guidelines, plans, reporting and auditing of each agency. The order calls, in particular, for a lot of auditing. This brings to mind Martin McKeay’s excellent discussion of compliance through security.
Are these compliance regulations the right approach to preventing ID theft? Is there any realistic alternative?