When it comes to priorities, a lot of companies and organizations still place security towards the end of the list. Many times the right people cannot take the right decisions, while the wrong people go ahead with decisions which affect the security of the organization. If the person in charge does not see any immediate benefits out of taking security precautions, then most of the times, what happens is that the precautions are not taken.
That is what laws are there for. If there's no law which handles things such as data leakage and information theft, then a lot of organizations wouldn't be bothered with security of their employees and their customers.
And reasons can be various, but most of the times it boils down to security being seen as a nuisance or just too restrictive to get any work done. Some of these organizations actually hold very sensitive information - like hospitals.
For health care there's an act called HIPAA (Health Insurance Portability and Accountability Act) which specifically talks about Privacy and Security from administrative, physical and technical perspectives.
Michael at
infosecplace.com is
commenting how no one seemed to take action against medical firms who lost patient and worker data recently. If the laws are there but not enforced, then what happens is that the laws won't make any difference. It's just as if they never existed in the first place - and the right people who would otherwise take security seriously because of the repercussions - won't give a flying duck.
References:
http://infosecplace.com/blog/2007/02/20/medical-firms-losing-data/http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Acthttp://www.securityfocus.com/brief/440http://www.upi.com/NewsTrack/Business/20070215-103624-3466r/http://www.jhu.edu/identityalert/faq.html
