[dahfizz]

I completely agree with you. The legal system is entirely out of reach for the average citizen, and this is something we should fix.

However, us wanting things to be a certain way doesn't change how things are. If Congress passed a "Data Protection Act" it would be indecipherable, full of technical illiteracy, and heavily influenced by the richest lobbyists (Facebook and Amazon, anyone?).

This is my objection. I would love for a real data protection act to be legislated. But Congress has its own agenda and ineptitudes. Do you really trust the people who wrote the Patriot act to protect your sensitive information?

[Spooky23]

That’s bullshit. The federal government is able to produce a lot of useful technical regulation and guidance.

Hell the whole infosec policy framework used everywhere is built off of NIST 800-53.

[r-w]

I’m pretty sure NIST has more engineers than politicians. The same cannot be said of Congress.

[Spooky23]

Congress would write a law with general objectives, and leave the regulatory work to an exec branch agency. The regulations generally either reference or draw inspiration from NIST.

HHS uses NIST stuff to guide HIPPA. IRS is more prescriptive, but everything in IRS 1075 is still based on NIST stuff.

You have to separate the political puffery from reality. The Federal government is very good at establishing effective regulatory frameworks. They fall down with the long-term maintenance of regulations, as it's often difficult to keep the legal mandate up to date.