There was a meme a while back that the USA should act upon Data Piracy the same way it acted upon High Seas Piracy at the turn of the 20th Century - acting unilaterally to clean up the high seas, making trade safer cheaper and faster for all nations.
A similar approach might be the best tack to take here
* Have a public register of breaches, with auditor sign off of the details of the event so we can all learn
* publically registering the breach gives some degree of protection from liability / punishment, but there is expectation of competence and good practise (very much like accounting)
* Work with EU over Data Protection definitions and approaches - if both US and EU are singing off same hymn sheet it will become globally de facto
* probably the biggest area to push in that is that personally identifiable information should belong to the person identified - and treated like an asset held in trust by those who hold it...
* beef up whistleblower laws and roles of researchers
* have the NSA buy back some of the world's trust by identifying and hunting down cyber criminals the same way actual violent terrorists are
A similar approach might be the best tack to take here
* Have a public register of breaches, with auditor sign off of the details of the event so we can all learn
* publically registering the breach gives some degree of protection from liability / punishment, but there is expectation of competence and good practise (very much like accounting)
* Work with EU over Data Protection definitions and approaches - if both US and EU are singing off same hymn sheet it will become globally de facto
* probably the biggest area to push in that is that personally identifiable information should belong to the person identified - and treated like an asset held in trust by those who hold it...
* beef up whistleblower laws and roles of researchers
* have the NSA buy back some of the world's trust by identifying and hunting down cyber criminals the same way actual violent terrorists are