How is compliance really perceived?
Carl Ellison has an interesting story that may give some insight into how people in the business world really view the maze of data security and privacy laws that they have to navigate these days. Here's his story (told with his permission, of course):
I remember being in a workshop with health-care IT pros. We were talking
security – especially access control. I asked what their #1 threat was.
The answer: HIPAA. They weren't worried about whether a patient's records
were disclosed to a wrong person. They were worried only if they might go to
jail. They wanted a security solution that kept them out of jail with the
minimum effort and disruption for them.
In other words, the regulation itself is seen as a bigger threat than any disclosure of any Protected Health Information! I wouldn't be surprised if you can hear similar discussions at meetings where other compliance issues are discussed.