Hospitals and other health care agencies in the US have just recently begun complying with HIPAA(Health Insurance Portability and Acountability Act), tightening security controls and creating tougher policies. The goal of this Act was to make insurance providers accountable for the integrity and privacy of medical records. I realized that a similar approach could be helpful in the wider privacy movement. Credit Bureaus keep millions of credit reports in easy to reach databases for clients to tap into. Thousands of other companies keep copies of client records in computer systems to facilitate accessibility by employees (and hackers...).

Wouldn't it be great if the US government(and of course other national/international legislative bodies) could pass legislation governing accountability and integrity of all electronically stored personal information within its jurisdiction? Im talking about basic standards for privacy and security. Personal information would include banking information, credit information, and other personally identifiable information that could be traced to the owner. Basic standards would include intrusion detection, vulnerability assessment and corrolation, encryption, access control, auditing, etc. Enforcement would be brought about by random unanounced inspections by the FCC or other government agency. For home users, inspection could occur during an IRS audit.


But WAIT!! I don't want anyone looking at the private information I have on my computer, especially Big Brother! Well, what if vendors built compliance mechanisms into their operating systems that would send policy reports to government computers on a monthly basis? That way, if a report doesnt come in, the feds knock on your door, and if you have a poor report, they feds can send you an email. Or better yet, if your all good (which should be the default configuration) they don't bother you at all.


This post is open to praise, suggestion, flames, and especially constructive critisism.