Legislation should not try to go to that level of detail because technology changes. Legislation could be expected to attempt to define legal responsibility for security negligence which can adversely affect many people to a minor extent, or a few people to a major extent. The UK Data Protection Act requires organisations processing personal data to take appropriate security measures. It doesn't state what these are and doesn't have to. The Nationwide Building Society was fined 980,000 UKPounds for a breach of the DPA a couple of years ago, when account details of many account-holding members (one of them myself) were leaked.