Derek E. Bambauer (Brooklyn Law School) has posted Rules, Standards, and Geeks (Brooklyn Journal of Corporate Finance & Commercial Law, Vol. 5, p. 49, 2011) on SSRN. Here is the abstract:
Policymakers and scholars generally assume that information technology is best regulated using standards, not rules. This Article argues that rules are often the superior choice. Those favoring standards typically focus on the wrong problem: they seek to prevent data spills, rather than to mitigate their impact. Rules can helpfully reduce a breach's effects. For technology, rules are preferable when they can specify a minimum level of protection that is relatively effective; where obsolescence occurs slowly; and where monitoring implementation is low-cost and accurate. The Article sets out examples of where each type of approach is superior. Application design is best governed by standards, while the transport and storage of data, along with identification of access to information, are best dealt with via rules. The Article questions the prevailing consensus in favor of standards for regulating technology, and also seeks to create testable predictions about when rules will work better.