I think you've just re-iterated my point. So I guess I'll switch sides -- you know, to keep the argument going.
The problem with modern legal systems is that they refuse to translate anything.
We had smoking and anti-smoking laws and signs and regulations for decades. Apparently those don't apply to vaping. Needed all new laws. We had laws for taxis, which apparently don't translate into ride shares.
Modern laws are never written for fundamentals -- in-air oral drugs, commercially-provided vehicle transit. There are certainly very good reasons for that. The problem is that those benefits come with enormous detriments.
The biggest problem with modern legal systems is that you really can't use them. You can't sue someone for $100. No matter how simple and how clear-cut the issue is, $100 doesn't cover parking at the courthouse. So already, you aren't going to utilize justice for anything small -- which is 99% of a person's need for justice. I'm not going to sue someone for scratching my car -- even $1'000 isn't worth the time and hassle and expense of a lawsuit for anyone with a job, let alone a career, or a business. That same concept extends to $1'000'000 for larger issues with larger corporations.
So most of modern legal systems are really just for media coverage. And by the time the murderer goes free, it's been six years and we've all stopped caring. Modern laws are initial-guidelines-only, and then the threat of legal action is basically the end of it for the vast majority of scenarios.
Which is why we've implemented all sorts of work-arounds for the law -- from bad-reviews, to star-ratings, to marketing and access.
So if you're asking me what I think we should do in the IT sphere, I think we should start writing laws the way we write code -- some laws (whoa, not all laws) but some laws ought to be based on the result, not on the action. We call those assertions in programming.
And some of them would be plainly obvious.
-credit card data must be encrypted -- such that brute-force efforts would take more than 100 years at the time of decryption.
-you're accountable for any data stolen by any means, that you've held for more than six months.
-logging into someone else's database, with a login/passcode (so not injection), is illegal, I don't care how you got it, how you used it, or why it wasn't harder to do. You know, just like breaking into someone's house is illegal, no matter how thin the glass windows were. entry is entry.
-selling someone else's data, is like selling someone else's eggs.
-publicly describing how to break into someone's systems is like publicly describing how to break into your neighbour's house. it's both illegal and stupid, since your house is pretty much the same.
The big point here is something that IT has never understood. We all have vulnerabilities. They can't be fixed. Your windows are glass. Bolt cutters exist. The fuse to your air conditioner is outside your house. The exhaust from your furnace is an exposed pipe about the size of a banana.
You can't stop a person from killing you with a baseball bat on the sidewalk in two seconds. You can't stop selling bats. You can't remove sidewalks. You won't sell enough helmets.
You simply make it illegal, and make it certainly enforceable -- and maybe even easily so. And then you accept the 90% solution, not because that's enough, but because we then have bigger problems elsewhere.
Alas, modern legal systems are terrible for any of this. And modern IT is even worse.
To be clear, I'm not at all complaining. I make money because of the latter. My Beloved does because of the former. Additionally, governance is a forever-impossible task for many reasons, including the fact that our governance systems are equally hindered by rapid change. I'm very happy that I'm not tasked with solving these problems, nor even addressing them.