For data privacy / security, I think a simple rule would be effective provided it had teeth:<p>Any organization that holds personal data can be sued if such data is misused or exposed (even if hacked). Further, ensure that people cannot revoke their right to sue. Nor can they agree to any damage reduction in advance.<p>Otherwise stated, make every CTO committed to collecting / storing the minimum amount of data.