In the UK, it is apparently illegal, under the "Data Protection Act," for a company to allow personal data of its customers to be exposed (presumably, it would be acceptable with permission from the customers). I think this is a great idea, as it puts a legal "no excuses" burden on companies to really secure their data. Maybe we should have such a thing here in the U.S.