On the one hand, I see how important it is to control personal information, whether it's your information or if you are the person entrusted to keep it safe. On the other hand, I see government-style regulations like HIPAA causing nothing but heartache and useless redundant paperwork for service providers and consumers alike. I mean, Jesus, how many times should I have to sign a HIPAA disclosure statement? Multiply that times the number of people in the United States who visit the doctor, times the number of times those people go to the doctor per year; that's a lot of trees, and that's just one single form that everyone is required to fill out. Disaster. In the end, does it really keep your information safe, or is it just the appearance of safety? Would that disclosure keep someone from hacking into a database server and performing a full dump of its contents? I don't think so. I mean, it might compel improved security, better training, and (once again) more paperwork and identification checking - but credentials can be forged, people can be compromised using social engineering strategies and paperwork is pretty much useless except for lawyers to pour through later at $250 an hour.
I do like the idea of a set of standardized, public, standards-based (open-source?) information security guidelines that businesses can follow check-list style, with auditing for maximum benefit, possibly tiers ("Silver" for check-list compliance, "Gold" for annual audits, "Platinum" for monthly audits by a certified third-party). My password was one of the many leaked over on Lifehacker, but that's okay, because compartmentalization is a basic security premise I live by. Compromised in one area? That's okay. The 200+ other places I connect are still secure. But, seriously, how would one know when creating an account for the first time on a service that the place is secure or not?
Take that a step further, and more germane to this discussion, any of these informants could be tracked down and killed. Granted, if someone were to gain access to my "I Can Haz Cheeseburger?" profile, they could wreak some serious havoc. But if local criminals had access to an indexed database of informants, I would consider that a slightly more serious compromise.
The government needs to have some sort of oversight department (Homeland Security, perhaps?) that has the authority and responsibility to randomly audit every agency in the US that stores sensitive information. The data owners need to be held accountable for their fiduciary responsibility for this information, and heads would need to roll if there's a compromise of this nature and depth. In the case of an audited system, why wasn't this caught? What was that, six or seven months? It's a bit scary that it took someone performing an Internet search to fix this leak. An easy way to fix this problem would be to pepper all databases with normal-looking but fake information. Set-up a Google Alert for each piece of information and if that info is seen anywhere by Google, trace the leak. I'll bet Google could have found the leak much sooner, and a large company like that could easily be asked to purge the data and assist with forensics.