A critical problem is assessing how far a company is legally obligated to go in order to secure personal data. Because there is no such thing as perfect security (i.e., there is always more that you can do), resolving this question can significantly affect cost.
a. When are security measures that a company implements sufficient to comply with its obligations?
b. Is there any way for a company to know if its security measures are sufficient? Can you devise a method for any organization to determine if its security measures are sufficient?