Richard Warner of Chicago-Kent and Robert H. Sloan of the University of Illinois at Chicago's Computer Science Department have written Defending Our Data: The Need for Information We Do Not Have. Here's the abstract:
Data breaches occur at the rate of over two a day. The aggregate social cost is high. Security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid? Current laws are ineffective in providing an adequate incentive to avoid the loss. As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.” However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security. The solution is to provide better guidance about what counts as reasonable security measures. Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.