I’m sure some would argue that they’re burdensome, but I think they’re obligatory. I think we are coming to a time when we must assess breaches by some measure for harm, and when there is harm, the firm suffering the breach will be obligated to notify the person about whom the information pertains. It seems to me that if we can tell a bank that if you lose my money, you’re going to be responsible for it—that’s why they insure it—then why not take the same approach with information?

Now we come into that inevitable problem in our federalist system: Do we want to have a standard rather than 50 different ways of doing it? What you get with 50 different ways is, the marketplace will decide which is the most onerous, and [companies will] adopt it and all the others under it.

Right, from a compliance perspective, companies would logically conclude that if they comply with the strictest state law, that would put them in compliance with other laws as well. Are you suggesting that there’s a need for a national disclosure law that’s less strict than California’s?

I wouldn’t begin to characterize it as less strict. Having each state be its own little laboratory is useful in some things, and in some things it creates chaos. I’m saying that there needs to be uniformity. Maybe a national disclosure law would be a mirror image of California. Maybe we combine two or three of the laws and come up with something that everybody says, "Well, that makes sense, let’s do it that way."

What else do you predict for this legislative year?

We’re going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren’t financial services institutions. There is a new awareness that personal information is very valuable, and it needs to be protected whether we’re talking about a financial institution or a university or a shoe store.

You’ve said in the past that we are not knowledgeable enough to begin regulating. Do you think we’re getting close?

The act of regulating is always moving by its very nature.

I remember the debate back seven or eight years ago we were having on taxing the Internet. I don’t like the idea, and how would you do it? One study said that for a huge firm it might cost 13 cents to collect a dollar in taxes, whereas a little firm would probably have to spend 87 cents to collect that dollar. It just shows you the inequity of legislation. Again, that’s not a product of evil intent. It’s usually the product of number 1, a complex problem, number 2, influence on the way the legislation is shaped, and lastly, just not understanding and thinking through to the end, What’s going to be the effect of all this? Does it make sense? That’s why I have been consistently saying, Let’s not rush in and start legislating. We don’t fully understand this, and even if we did fully understand it right now, six months down the road the situation will have changed.