Rather than focusing on one particular regulation or act, this article will focus on the policy processes behind the legislation in an attempt to explain why the government has become galvanized around the issue, and why legislative attention is not likely to shift in the near-term.  
    Several high-profile companies have acknowledged losing personal data. The rate at which such losses actually occur can be safely estimated at rates much higher than the frequency with which they are acknowledged. Deborah Platt Majors, the Chairman of the Federal Trade Commission (FTC) recently appeared before the Congress to testify about the security of personal information. In her prepared statement, Chairman Platt Majors detailed ways in which the private sector can assist in fighting the growth of identity theft. Among the measures that businesses can take, she suggests more thorough authentication procedures, a process through which the business can help victims recover, and adherence to the principles outlined in the FTC’s publication, Information Compromise and the Risk of Identity Theft: Guidance for Your Business. She concluded by saying that the Commission is committed to the protection of personal data.
    Clearly, the message communicated by her statement, and the fact that Congress was actually holding hearings on the matter of consumer privacy, is that the government is only going to become more involved over the years in mandating protective measures for personal information. In order to understand the current hyper-regulatory environment surrounding personally identifiable information, it is necessary to have a cursory understanding of the policy process. The models of policy process and creation are numerous, but all seem to share the basic traits of David Easton’s (noted scholar and researcher on issues of political structures and theories) model of the Political System. Simply put, the system is comprised of inputs, which are fed into the “black box” of government. Within this box are actors who make decisions based on the inputs. The results of these deliberations are policy outputs.
    Easton’s model of the political system converges nicely with Anthony Downs’ theory of policymaking, as well. Anthony Downs is a renowned scholar specializing in issues of democracy and urban policy. Downs developed a theory describing the cycle that instigates policy change in the United States. His theory basically says that if only the politicians and experts are aware of a problem, it is less likely to garner political attention than if the media and public are aware of the issue and began to pressure their political representatives for action. He describes this process as the Issue Attention Cycle or IAC.
    Downs’ model of IAC includes five main stages: Pre-problem, Alarmed Discovery, Realizing Cost of Progress, Decline of Public Interest, and Post-problem. In the Pre-problem stage, very few people are aware of the issue. This is not to convey that there is not a problem, merely that the awareness of the issue is not prevalent. This stage is followed by the “Alarmed Discovery” of the problem. During this stage, the media and the public may issue an outcry for the politicians to take some action to counter the problem. The next stage is “Realizing the cost of progress.” As the name suggests, at this stage the public is made aware of the measures that are required to correct the situation. “Decline of Public Interest” quickly follows. The next stage of the cycle is the decline of public interest. This occurs for two reasons primarily. One reason for which the public may lose interest is that the government solution may have solved, or at least mitigated, the issue to the point at which the public is mollified. Conversely, the public may have realized that the cost of fixing the problem outweighs the benefits. Lastly, the cycle culminates in the Post-Problem phase. At this point, the issue reverts from the public eye and again becomes largely the concern of issue experts.
    Presently, it would seem that the issue is hovering between the “Alarmed Discovery” and “Realizing the Cost of Progress” stages. As the public, the business world, and governments all discover the issue of consumer privacy and the costs of ensuring said privacy, this “feedback” is all being delivered into the political system. The result is tangible. In the 108th Congress, 173 bills were proposed that dealt with privacy. In the first several months of the 109th Congress fifty such bills have already been introduced. Congress is attempting to deal with a very real and costly phenomenon without being overly burdensome to business.
    There are two public policy theories at work here. The first is the incremental nature of change in public policy. According to public administration scholar Charles Lindblom the government moves in incremental stages because the ends of government in a democratic society are fluid and undertaking paradigm changing policy shifts may not be in the continued best interest, or the perceived interest, of the constituents. Additionally, as is the case with issues that are relatively new, Congress may not necessarily be certain what legislative measures are required. For that reason, it is more likely that Congress would pass a number of laws instigating minor changes as opposed to passing one law that mandates sweeping changes to the way business in conducted. Examples of the incremental nature of privacy policy change abound. They include the reluctance of Congress to grant greater powers of privacy regulation to the FTC, stating that the power to enforce privacy policies is granted to the body in its charter. Additionally, notice that Congress has shied away from passing one, all-encompassing law regarding personal privacy. Rather, the laws that are being proposed and passed are aimed at specific business segments: those that market to children, financial services, and healthcare providers. Over time, these laws may be refined or even combined based upon their effectiveness and changes in the business and legal environment.
    The second theory working in this situation is that of policy learning. This phenomenon is complementary to incrementalism. It is imperative to understand that policy creation is a dynamic process. As policy is created it is also monitored by the agencies charged with the implementation of that policy. Frequently, bills include measures in which the agency must appear before Congress within 1-2 years with a report on the effectiveness of the policy. Through such reports, Congress can better understand whether or not the policy is having the desired effect. It is not uncommon to find that policies are having a beneficial effect, just not the effect that was expected. For example, a local government may implement an after school program designed to help at-risk youth improve their standardized test scores. At the annual program review, the government may find that while the impact on test scores was minimal, the drop-out rate among that group decreased dramatically. Few would deny the benefit of reducing the drop-out rate, but it was not the effect that was envisioned when the program was implemented.
    Taking these two theories, incrementalism and policy learning, together it is not likely that Congress will pass an omnibus privacy law in the mold of the EU Data Privacy Directive any time in the near future. Though some comprehensive bills have been introduced on the floor, it is more likely that Congress will continue to pass laws specific to certain business segments or models until privacy regulations begin to converge and share due standards of care and baselines of security for consumer data. At that point, it would not be surprising to see the privacy regulations consolidated. The point in this very brief lesson in public policy is that privacy legislation is not something that can be ignored. Though many businesses would like to hide their heads in the sand, it is more prudent to address the issue head-on, taking a proactive approach to privacy. Privacy is not an issue merely for processors and merchants, but is an issue that every company must face. Better to address it sooner, rather than later when the cost of retrofitting company policy, practice and infrastructure goes up and regulatory scrutiny becomes even more intense.