Government Regulation in Security: Good or Bad
You want to protect yourself in cyberspace from the thieves and other criminals. So you probably take precautions, such as using anti-virus software and a Spam filter, and keeping your sensitive data secure on your computers.
The problem is that other entities have your sensitive information on their machines and in their databases. You have no control over what measures they take to protect your identity. No matter how much effort you expend to protect yourself, your safety is dependent on other people. Furthermore, some of these other people have very little incentive to protect your info. If they spend money on security, they reduce their profits. But if they don’t spend money on security and something bad happens, the damage doesn’t affect them, it affects other people. The operator of some internet concern can take the attitude, "I wouldn’t like it if someone stole our customers’ identities, but it’s not my identity. I’m not the one who suffers."
It’s kind of like valet parking. The valet company might take the attitude, "I don’t like it when people steal cars, but it’s not my car. It doesn’t really affect me."
That’s not exactly a valid comparison, after all, a valet company can be held liable for losses if their security was too lax, or if they are negligent. That’s government regulation. If you like using valet parking, you’re probably glad that the government steps in and has created some laws to give the valet companies significant incentive to take precautions with your car.
In cyberspace, various governments have stepped in to create laws giving companies incentives to employ security if they possess people’s personal information. As with valet parking it might be liability. The government does not mandate that the company take precautions, or if they do take precautions exactly what they should do, but if something goes wrong, the company can be forced to pay customers remuneration, or pay fines to the government. Other regulations describe the steps companies must take, or prohibit various activities.
A more libertarian approach would be "buyer beware". Do some research before doing business with a company. Or join a private organization that does the research for you. You pay a fee and get access to the reports. Or buy insurance. If something goes wrong, the insurance company reimburses you for your losses. The insurance companies would then have an incentive to do the research and advise you on which companies to avoid. Maybe they would even have lists of the bad companies, and declare they will not reimburse if you incur a loss with them. If a company is lax with security, customers will stay away. The company that spends money on security will have smaller profits, but that’s better than going bankrupt.
Which is better? Government intervention or market forces? In some ways, government is similar to the mythical private company researcher (which is not that mythical when you look at Consumer Reports, Morningstar, and other such organizations). The difference is in whether payment is voluntary or not. Also, with most of the government solutions, if you incur a loss, you don’t get any money back. The company loses, but so do you. On the other hand, the free market approach still requires a government that enforces private contracts. And with the market solutions, who keeps an eye on the organizations who claim to do research or the insurance companies? Other private watchdogs ("it’s turtles all the way down").
Would somebody who favors the market approach be willing to say there is no liability? That there is very little right to collect from negligent or even fraudulent people? Only insurance companies? And let the insurance companies do research? The government then regulates only the insurance companies.
Would someone who favors government solutions be willing to live with the "lag" the time between discovering something new and government’s response to it?