While compliance with specific regulations certainly requires a good bit more than simple common sense, keeping data safe usually demands exactly that. Common-sense rules and procedures and education at all levels are the best prescription for protecting private data. But just as important is listening to those who serve customers, because you can bet that in either case described above, simply saying "you can't do that" isn't good enough. Customers--both in business and in IT--demand more. Simply enforcing a list of what can't be done--particularly when IT's rules conflict with fundamental business conduct--is the surest way to marginalize IT's value to the company.
Art Wittmann is editor in chief of Network Computing. Write to him at firstname.lastname@example.org.